Skip to main content
Emerging ThreatsMalware & Ransomware

China-linked hackers exploit Microsoft Exchange in Azerbaijani energy firm attacks.

Server room with computer equipment and servers under ordinary indoor lighting.

"This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment," Bitdefender warned.

Who attacked and who was targeted

Bitdefender attributed the multi-wave intrusion with moderate-to-high confidence to a group it calls FamousSparrow (aka UAT-9244). The vendor noted tactical overlap between FamousSparrow and clusters tracked as Earth Estries and Salt Typhoon. The victim was an unnamed Azerbaijani oil and gas company that was probed and compromised across three discrete waves between late December 2025 and late February 2026.

How the attackers got in: ProxyNotShell against Microsoft Exchange

Across all three waves the operators exploited the same Microsoft Exchange Server entry point, using the ProxyNotShell chain to obtain initial access. Bitdefender emphasized that the adversary repeatedly revisited that access path despite "several remediation attempts," underlining that the attackers were able to return until the vulnerability, credentials, and attacker persistence were fully addressed.

Payloads and evolution: Deed RAT, TernDoor, and switching tactics

The campaign saw alternating deployments of two distinct backdoors. On December 25, 2025, the attackers deployed Deed RAT (aka Snappybee), which Bitdefender describes as a successor of ShadowPad and as a tool used by multiple China-nexus espionage groups. Nearly a month later the adversary attempted to deploy TernDoor in late January/early February 2026; that backdoor had been "recently discovered in attacks targeting telecommunications infrastructure in South America since 2024." In late February 2026 the attackers returned with a modified version of Deed RAT that used "sentinelonepro[.]com" for command-and-control (C2).

Techniques: DLL side-loading, LogMeIn Hamachi, and Mofu Loader

Bitdefender traced the initial footholds to web shells intended to persist on Exchange hosts, then to more sophisticated loaders and backdoors. The Deed RAT deployment used an evolved DLL side-loading technique that abused the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL responsible for executing the main payload. According to Bitdefender, the malicious library overrides two specific exported functions, creating a two-stage trigger that "gates the Deed RAT loader's execution through the host application's natural control flow," a measured evolution of traditional side-loading defense evasion.

In the second wave the adversary attempted, but apparently failed, to use DLL side-loading to drop TernDoor through Mofu Loader, a shellcode loader that Bitdefender says was previously attributed to GroundPeony. Throughout the campaign the attackers also performed lateral movement to broaden access and to establish redundant footholds so they could survive detection and removal attempts.

What this means for Azerbaijan's energy sector, technologists, and policymakers

  • Azerbaijani energy firms: Bitdefender framed the incident as an extension of FamousSparrow victimology into a region whose energy role has grown — citing Azerbaijan's increased significance for European energy security after the 2024 expiration of Russia's Ukraine gas transit agreement and the 2026 Strait of Hormuz disruptions. The repeated re-entry attempts show how persistent access can threaten operational continuity in strategically important energy infrastructure.
  • Security teams and technologists: The case highlights how a single unremediated Exchange entry point can be repeatedly exploited, and how attackers can alternate and refine loaders and payloads (Deed RAT, TernDoor, Mofu Loader) to maintain presence. The use of a legitimate binary (LogMeIn Hamachi) with exported-function overrides stresses that defenders must look beyond simple file replacement indicators when investigating side-loading.
  • Policymakers and incident responders: The campaign demonstrates sustained operational discipline by the adversary: revisiting the same access vector, introducing new payloads across waves, and creating redundant footholds. Such behavior underscores the need for coordinated remediation — patching, credential rotation, and verification that the attacker's return paths are closed.

Bitdefender concluded that the operation "should not be viewed as an isolated compromise" but rather as a persistent, adaptive campaign that repeatedly sought to regain and extend access. The factual record in this case is precise about dates, tools, and techniques: ProxyNotShell against Exchange; Deed RAT/Snappybee and TernDoor as the primary backdoors; LogMeIn Hamachi DLL side-loading with a two-stage exported-function override; Mofu Loader as the attempted delivery mechanism for TernDoor; and the reuse of a single entry point across three waves from December 25, 2025 to late February 2026.

The central, practical takeaway is simple and stark: until the vulnerable Exchange path was fully remediated and the attackers' footholds removed, they kept returning — swapping and refining payloads to stay in and spread through the network. Bitdefender's reporting leaves one concrete operational question for defenders: when remediation is declared complete, what specific validation steps will demonstrate that an adaptive adversary can no longer return?

Original report — The Hacker News