Ethical Hacking News
FamousSparrow, a Chinese APT group, has conducted a sustained campaign against an Azerbaijani oil and gas company, reusing the same entry point in three intrusions from Dec 2025 to Feb 2026. This operation highlights the importance of cybersecurity in regions critical to European energy security and underscores the need for organizations to prioritize patching internet-facing services immediately.
The FamousSparrow group, linked to China, conducted a cyber espionage campaign against an Azerbaijani oil and gas company from December 2025 to February 2026.The attackers targeted the same compromised entry point three times, highlighting their ability to adapt tooling while preserving initial access vector.The operation exploited publicly disclosed vulnerabilities in Microsoft Exchange Server and used a Deed RAT payload with modified configurations.The campaign demonstrated persistence and operational discipline, as the attackers returned to the same server despite remediation attempts.The targeting of Azerbaijani energy infrastructure marks an expansion of FamousSparrow's known geography into a region critical to European energy security.
The recent cyber espionage campaign conducted by a group known as FamousSparrow, which has been linked to China, has shed light on the evolving nature of state-sponsored threats and their increasing focus on energy infrastructure in regions critical to European security. The operation, which began in late December 2025 and continued through late February 2026, targeted an Azerbaijani oil and gas company, demonstrating a high degree of persistence and operational discipline.
The attackers, who have been identified as Chinese-linked FamousSparrow, repeatedly targeted the same compromised entry point three separate times between December 2025 and February 2026. This methodical approach is significant, as it highlights the group's ability to adapt their tooling while preserving the same initial access vector throughout each wave of activity.
The first wave of the campaign exploited a vulnerable Microsoft Exchange Server using the ProxyNotShell exploit chain, a vulnerability pair that had been publicly disclosed back in 2022. The attackers then dropped web shells with names like key.aspx, log.aspx, and errorFE_.aspx into publicly accessible directories, establishing a foothold that they would return to repeatedly.
Despite remediation attempts by the victim organization, the attackers came back. Each time through the same Exchange server. Each time with a different payload. The first wave deployed Deed RAT, a successor to ShadowPad used across multiple Chinese espionage groups, through an evolved DLL sideloading technique. This methodical approach stands out from more conventional implementations and demonstrates the group's ability to adapt their tooling while maintaining consistency in their initial access vector.
At the end of February 2026, the attackers made a third attempt using the same LogMeIn Hamachi sideloading chain, this time with a modified Deed RAT configuration. The mutex name changed, the service was renamed HamachiNet, injection targets were updated to include wininit.exe and dwm.exe, and the C2 address became sentinelonepro[.]com:443, masquerading as a well-known endpoint security vendor.
The fact that the attackers continued to use the same initial access vector despite remediation attempts by the victim organization is a testament to their persistence and operational discipline. This campaign highlights the importance of patching internet-facing services immediately and underscores the need for organizations in sectors considered strategically valuable to prioritize cybersecurity.
Moreover, this operation marks a significant expansion of the FamousSparrow group's known targeting geography into a region that has become increasingly critical to European energy security. Azerbaijan has rapidly solidified its position as a strategic energy supplier for Europe, delivering gas to thirteen countries, including Germany and Austria. The targeting of Azerbaijani energy infrastructure by a China-aligned actor fits a pattern of espionage operations that track geopolitical shifts and follow the energy supply chains that matter to adversaries.
The operation also sheds light on the evolving nature of state-sponsored threats and their increasing focus on persistence and operational discipline. FamousSparrow's sustained campaign against an Azerbaijani oil and gas company demonstrates a high degree of persistence, as the attackers returned to the same compromised entry point three separate times between December 2025 and February 2026.
In conclusion, this operation highlights the importance of cybersecurity in regions critical to European energy security. The targeting of Azerbaijani energy infrastructure by a China-aligned actor underscores the need for organizations in sectors considered strategically valuable to prioritize patching internet-facing services immediately and maintaining robust cybersecurity measures.
The sustained campaign conducted by FamousSparrow demonstrates a high degree of persistence and operational discipline, as the attackers returned to the same compromised entry point three separate times between December 2025 and February 2026. This operation marks a significant expansion of the group's known targeting geography into a region that has become increasingly critical to European energy security.
Related Information:
https://www.ethicalhackingnews.com/articles/FamousSparrow-A-Chinese-APTs-Sustained-Campaign-Against-Azerbaijani-Energy-Infrastructure-ehn.shtml
https://securityaffairs.com/192113/apt/famoussparrow-targets-azerbaijani-energy-sector-in-multi-wave-espionage-campaign.html
Published: Thu May 14 04:59:56 2026 by llama3.2 3B Q4_K_M
