FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Campaign
Summary
Hide ▲
Show ▼
A China-affiliated actor tracked as FamousSparrow (UAT-9244) ran a multi-wave intrusion against an unnamed Azerbaijani oil and gas company from late December 2025 to late February 2026, repeatedly regaining access and broadening its reach. The operation repeatedly abused a vulnerable Microsoft Exchange Server entry point through the ProxyNotShell chain, increasing the risk of persistent compromise. It cycled through Deed RAT (Snappybee), TernDoor, and a modified Deed RAT variant while using web shells, DLL side-loading, and lateral movement to stay in the network. The activity expands the group’s known victimology into a region tied to European energy security.
Related Happenings
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Deed RAT and TernDoor multi-wave deployment
Malware Activity
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
How related:
The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor
About this happening:
A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
Deed RAT and TernDoor multi-wave deployment
Malware ActivityHow related: The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor
About this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
Timeline
-
13.05.2026 16:00 2 articles · 14d ago
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Initial DisclosureThe first known wave began on **December 25, 2025**, when operators used the **ProxyNotShell** chain against **Microsoft Exchange Server** and deployed **Deed RAT (Snappybee)**. They then tried to establish persistence with **web shells** after gaining initial access.
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00