Ethical Hacking News
Azerbaijani Energy Firm Vulnerable to Sophisticated Cyber Espionage: A Repeated Exploitation of Microsoft Exchange Server
An Azerbaijani oil and gas company has been targeted by a sophisticated cyber espionage campaign linked to China. The attack, which was carried out between late December 2025 and late February 2026, demonstrates the capabilities of threat actors from China who have been linked to a group known as FamousSparrow (aka UAT-9244). The attackers exploited vulnerabilities in Microsoft Exchange Server and employed advanced tactics and techniques to evade detection. This attack highlights the ongoing threat posed by Chinese-nexus groups and underscores the importance of robust cybersecurity measures in protecting critical infrastructure.
Bitdefender reports a sophisticated cyber espionage campaign targeting an Azerbaijani oil and gas company from December 2025 to February 2026. The attack used a "multi-wave intrusion" exploiting Microsoft Exchange Server vulnerabilities, with attackers swapping out backdoors each time. The use of the same vulnerability for extended periods highlights the operational discipline and adaptability of Chinese-nexus threat actors. The attack demonstrates an evolution in tactics, techniques, and procedures (TTPs) used by Chinese-nexus espionage groups. The deployment of backdoors was followed by attempts to deploy web shells and conduct lateral movement within the compromised network. The attack has significant implications for the energy sector, highlighting the importance of robust cybersecurity measures.
A recent report by Romanian cybersecurity company Bitdefender has shed light on a sophisticated cyber espionage campaign targeting an Azerbaijani oil and gas company. The attack, which was carried out between late December 2025 and late February 2026, demonstrates the capabilities of threat actors from China who have been linked to a group known as FamousSparrow (aka UAT-9244).
According to Bitdefender, the attack began with a "multi-wave intrusion" that exploited vulnerabilities in Microsoft Exchange Server. Despite repeated remediation attempts, the attackers continued to leverage the same entry point, swapping out backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026. The threat actors are believed to have used the ProxyNotShell chain to obtain initial access.
The use of this specific vulnerability is particularly noteworthy, as it highlights the persistence of threat actors who will continue to exploit the same entry point until the original vulnerability is patched or their ability to return is disrupted. This approach underscores a high degree of operational discipline and adaptability on the part of the attackers.
Furthermore, the attack vectors employed by the FamousSparrow group demonstrate an evolution in the tactics, techniques, and procedures (TTPs) used by Chinese-nexus espionage groups. Deed RAT, which was previously associated with ShadowPad, has been identified as a successor to this earlier malware tool. The use of TernDoor, on the other hand, represents a new entry in the group's arsenal.
The deployment of these backdoors is believed to have been followed by attempts to deploy web shells and conduct lateral movement within the compromised network. This was an effort to broaden their access and establish a redundant foothold to ensure resilience in the event that activity was detected and removed.
The attack has significant implications for the energy sector, particularly in regions with critical infrastructure vulnerabilities. The targeting of Azerbaijan's oil and gas company highlights the importance of robust cybersecurity measures and the need for organizations to stay vigilant in the face of evolving threat landscapes.
In conclusion, this sophisticated cyber espionage campaign serves as a reminder of the ongoing threat posed by Chinese-nexus groups and the importance of staying informed about emerging threats and vulnerabilities. As the global energy landscape continues to evolve, it is essential that organizations prioritize cybersecurity and invest in measures designed to protect against advanced persistent threats (APTs).
Related Information:
https://www.ethicalhackingnews.com/articles/Azerbaijani-Energy-Firm-Vulnerable-to-Sophisticated-Cyber-Espionage-A-Repeated-Exploitation-of-Microsoft-Exchange-Server-ehn.shtml
https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html
Published: Wed May 13 11:21:29 2026 by llama3.2 3B Q4_K_M
