Sustained China-nexus Intrusion Campaign Targets Azerbaijani Energy Sector via ProxyNotShell Exploitation

First reported

13.05.2026 16:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A Chinese-nexus threat actor attributed to FamousSparrow (UAT-9244) conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, leveraging the ProxyNotShell exploit chain for initial access despite remediation efforts. The campaign involved three distinct waves deploying Deed RAT (a ShadowPad successor) and TernDoor (recently observed in South American telecom attacks), with repeated re-exploitation of the same Microsoft Exchange Server entry point. Attackers refined evasion techniques, including DLL side-loading via LogMeIn Hamachi with two-stage trigger design, to deploy payloads and maintain persistence. Lateral movement and redundant footholds were established to ensure operational resilience.

Timeline

13.05.2026 16:00 1 articles · 2h ago

FamousSparrow Multi-Wave Intrusion Targets Azerbaijani Energy Sector via ProxyNotShell
December 25, 2025: Initial compromise via ProxyNotShell with deployment of Deed RAT using DLL side-loading via LogMeIn Hamachi. Late January/early February 2026: Second wave attempts to deploy TernDoor via Mofu Loader; lateral movement observed. Late February 2026: Third wave deploys modified Deed RAT with C2 at sentinelonepro[.]com, reinforcing persistence and refining evasion techniques.
Show sources

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
Open in new tab

Information Snippets

Initial access was obtained via the ProxyNotShell vulnerability chain in Microsoft Exchange Server.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
Three intrusion waves occurred: Deed RAT on December 25, 2025; TernDoor in late January/early February 2026; and a modified Deed RAT in late February 2026.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
Deed RAT was deployed using an evolved DLL side-loading technique that overrides two exported functions within a malicious LogMeIn Hamachi DLL to trigger payload execution.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
TernDoor was delivered via Mofu Loader, a shellcode loader attributed to GroundPeony, during the second wave.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
The modified Deed RAT in the third wave used "sentinelonepro[.]com" for command-and-control.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
Lateral movement was conducted to expand access within the compromised network, with additional footholds established for resilience.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00
FamousSparrow shares tactical overlap with Earth Estries and Salt Typhoon clusters, both associated with China-nexus espionage operations.
First reported: 13.05.2026 16:00

1 source, 1 article
Show sources
- Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation — thehackernews.com — 13.05.2026 16:00

Summary

Timeline

FamousSparrow Multi-Wave Intrusion Targets Azerbaijani Energy Sector via ProxyNotShell

Information Snippets