China-linked hackers target Azerbaijani oil firm in multi-wave attack

As reported by The Hacker News, a China-affiliated threat actor, identified as FamousSparrow, has conducted a sophisticated, multi-wave cyberattack against an unnamed Azerbaijani oil and gas company. The intrusions, spanning from late December 2025 to late February 2026, represent a significant expansion of the group's known targeting, according to Bitdefender.

The attackers exploited a vulnerable Microsoft Exchange Server, specifically the ProxyNotShell chain, to gain initial access. Despite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves. Initially, Deed RAT, a successor to ShadowPad, was deployed on December 25, 2025. This was followed by TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026. The campaign utilized advanced techniques, including an evolved DLL side-loading method leveraging the legitimate LogMeIn Hamachi binary to evade defenses.

The targeting is significant given Azerbaijan's increased role in European energy security. The sustained nature of the operation, with repeated attempts to regain access and introduce new payloads, highlights the actor's persistence and adaptive capabilities.

Source: The Hacker News