Hackers returned to the oil company network for two months through an unclosed server - and each time they were launched.
The hacker group associated with China has returned to the network of the Azerbaijani oil and gas company several times through the same vulnerable Microsoft Exchange Server. The attack stretched for almost two months and showed how quickly cyber espionage is adjusted to protective measures if the input point remains available.
Bitdefender linked campaign with FamousSparrow, also known as UAT-9244. According to the company, the tactics of attackers partially intersect with the activity of Earth Estries and Salt Typhoon. The goal was an unnamed energy company from Azerbaijan, and the attacks took place from the end of December 2025 until the end of February 2026.
According to Bitdefender, the attackers used the ProxyNotShell chain for initial access to Microsoft Exchange Server. After the penetration, the operators tried to gain a foothold in the network with the help of web slurs, and then unfolded malicious tools. In the first wave, December 25, 2025, used Deed RAT, also known as Snappybee. This backdoor is considered the successor of ShadowPad, which is used by several cyber espionage groups associated with China.
To launch Deed RAT, the attackers used a sophisticated DLL Side-loading technique. Instead of simply substituting a file, a legitimate LogMeIn Hamachi component was used, which downloaded the malicious library. It changed two exported functions, which is why the launch of the main module passed through the usual logic of the application. This approach helped to circumvent the defense mechanisms.
The second wave began about a month after the first break-in. This time, the attackers tried to introduce TernDoor through Mofu Loader. This downloader was previously associated with GroundPoemony. TernDoor has recently been found in attacks on the telecommunications infrastructure of South America, which have been conducted since 2024. Attempts in the Azerbaijani network, according to Bitdefender, were unsuccessful.
By the end of February, the band had returned to Deed RAT, but in a modified version. To communicate with the control infrastructure, the sample used the domain “sentinelonepro[.]com”. The authors of the report believe that repeated attacks indicate not a one-time incident, but a stable operation with attempts to restore access, expand the presence inside the network and prepare spare entry points.
The hacker group associated with China has returned to the network of the Azerbaijani oil and gas company several times through the same vulnerable Microsoft Exchange Server. The attack stretched for almost two months and showed how quickly cyber espionage is adjusted to protective measures if the input point remains available.
Bitdefender linked campaign with FamousSparrow, also known as UAT-9244. According to the company, the tactics of attackers partially intersect with the activity of Earth Estries and Salt Typhoon. The goal was an unnamed energy company from Azerbaijan, and the attacks took place from the end of December 2025 until the end of February 2026.
According to Bitdefender, the attackers used the ProxyNotShell chain for initial access to Microsoft Exchange Server. After the penetration, the operators tried to gain a foothold in the network with the help of web slurs, and then unfolded malicious tools. In the first wave, December 25, 2025, used Deed RAT, also known as Snappybee. This backdoor is considered the successor of ShadowPad, which is used by several cyber espionage groups associated with China.
To launch Deed RAT, the attackers used a sophisticated DLL Side-loading technique. Instead of simply substituting a file, a legitimate LogMeIn Hamachi component was used, which downloaded the malicious library. It changed two exported functions, which is why the launch of the main module passed through the usual logic of the application. This approach helped to circumvent the defense mechanisms.
The second wave began about a month after the first break-in. This time, the attackers tried to introduce TernDoor through Mofu Loader. This downloader was previously associated with GroundPoemony. TernDoor has recently been found in attacks on the telecommunications infrastructure of South America, which have been conducted since 2024. Attempts in the Azerbaijani network, according to Bitdefender, were unsuccessful.
By the end of February, the band had returned to Deed RAT, but in a modified version. To communicate with the control infrastructure, the sample used the domain “sentinelonepro[.]com”. The authors of the report believe that repeated attacks indicate not a one-time incident, but a stable operation with attempts to restore access, expand the presence inside the network and prepare spare entry points.
