Overview
- Bitdefender reports a sustained espionage operation against an unnamed Azerbaijani oil and gas company that unfolded from December 2025 through late February 2026.
- Investigators say the attackers repeatedly entered through the same Microsoft Exchange Server using ProxyNotShell, a 2022 exploit chain that enables remote code execution on unpatched email servers.
- The first wave deployed Deed RAT, loaded through a DLL sideloading trick that abused the legitimate LogMeIn Hamachi service to launch a hidden payload without easy sandbox detection.
- In the second wave, the group tried to install the TernDoor backdoor via a Mofu loader chain, yet security controls blocked full installation even as artifacts showed an attempted driver load.
- Bitdefender attributes the activity with moderate-to-high confidence to FamousSparrow, noting lateral movement with RDP and Impacket tools and warning that Azerbaijan’s growing role in Europe’s energy mix makes such firms prime targets.