APT Targets Azerbaijani Oil and Gas Industry

May 21, 2026, 4:11 p.m.

Description

A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...

External References

https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
https://otx.alienvault.com/pulse/6a0d96aadcfeadab9eea10d0
Tags
dll sideloading
chinese apt
energy sector
azerbaijan
deed rat
terndoor
2026-05-20
earth estries
exchange exploitation
famoussparrow

Date

  • Created: May 20, 2026, 11:10 a.m.
  • Published: May 20, 2026, 11:10 a.m.
  • Modified: May 21, 2026, 4:11 p.m.

Indicators

  • http://sentinelonepro.com:443
  • https://sentinelonepro.com:443
Download all indicators here!

Attack Patterns

  • Terndoor
  • Deed RAT
  • Mofu
  • GhostEmperor

Additional Informations

  • Energy
  • sentinelonepro.com
  • Azerbaijan

Linked vulnerabilities

CVE-2021-31207

None
Published:

CVE-2021-34473

None
Published:

CVE-2021-34523

None
Published:

CVE-2022-41040

None
Published:

CVE-2022-41082

None
Published: