China-linked FamousSparrow hackers used Microsoft Exchange to breach energy firm
7 min. read 
Published on
China-linked FamousSparrow hackers targeted an Azerbaijani oil and gas company in a multi-wave espionage campaign that lasted from late December 2025 to late February 2026.
Bitdefender researchers said the attackers repeatedly returned through the same vulnerable Microsoft Exchange Server and deployed different malware families across three waves. The operation used Deed RAT, an attempted Terndoor deployment, web shells, and DLL sideloading techniques designed to make detection harder.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case stands out because the attackers did not rely on one short-lived breach. They reused the same access path, adjusted their malware, and tried to maintain persistence even after remediation attempts.
A sustained attack on an energy target
Bitdefender attributed the intrusion to FamousSparrow with moderate-to-high confidence. The company also noted overlap with the Earth Estries threat ecosystem, a broader cluster of China-linked espionage activity.
The target was an unnamed Azerbaijani oil and gas company. That detail matters because Azerbaijan has become more important to European energy supply, especially after the end of Russia’s Ukraine gas transit agreement and later disruptions affecting alternative energy routes.
The campaign also expands the known public picture of FamousSparrow’s targeting. Earlier reporting linked related activity to telecommunications, government, and technology targets. This case places the group inside South Caucasus energy infrastructure.
| Campaign detail | What researchers found |
|---|---|
| Victim sector | Oil and gas |
| Victim location | Azerbaijan |
| Observed period | Late December 2025 through late February 2026 |
| Initial access path | Vulnerable Microsoft Exchange Server |
| Main malware families | Deed RAT and Terndoor |
| Attribution | FamousSparrow with moderate-to-high confidence |
The attackers reused the Exchange server three times
The first signs appeared on December 25, 2025, when the Microsoft Exchange IIS worker process attempted to write a web shell into a public directory on the server.
Bitdefender assessed that the attackers used the ProxyNotShell chain, which includes CVE-2022-41040 and CVE-2022-41082. Those Microsoft Exchange vulnerabilities have been known since 2022, and Microsoft released updates for them years before this campaign.
After gaining access, the attackers deployed several web shells, including files named key.aspx, log.aspx, errorFE_.aspx, and signout_.aspx. These files gave the operators a way to run commands and stage additional malware.
Deed RAT was hidden inside a LogMeIn Hamachi-style chain
The first malware wave used Deed RAT, a backdoor associated with several China-linked espionage operations. The attackers delivered it through a three-part sideloading chain that imitated the legitimate LogMeIn Hamachi VPN software.
The legitimate-looking executable LMIGuardianSvc.exe loaded a malicious DLL named LMIGuardianDll.dll. That DLL then decrypted an encrypted payload stored in a file named .hamachi.lng.
The malware also created a Windows service that mimicked LogMeIn Hamachi. That service helped the attackers restart the malware after reboots and keep access available.
- LMIGuardianSvc.exe acted as the legitimate binary in the sideloading chain.
- LMIGuardianDll.dll acted as the malicious loader.
- .hamachi.lng stored the encrypted Deed RAT payload.
- The payload used encryption and in-memory execution to complicate analysis.
- A fake service created persistence on the compromised host.
The sideloading method added an extra evasion layer
Bitdefender said this campaign used a more advanced DLL sideloading method than a simple file replacement technique. The malicious DLL did not run its payload immediately after loading.
Instead, the loader split its logic across two exported functions named Init and ComMain. The payload ran only after the legitimate host application followed a specific startup sequence.
This matters for defenders because many sandboxes and automated triage systems inspect malware samples outside their full runtime context. If the expected sequence does not occur, the malicious behavior may not appear during analysis.
Second and third waves show persistence
The second wave took place in late January or early February 2026. During that stage, the attackers attempted to deploy Terndoor through a hijacked binary associated with deskband_injector64.exe.
That attempt did not fully succeed, but forensic artifacts showed that the malware tried to install a kernel driver. Bitdefender connected this behavior to earlier reporting on UAT-9244 activity, which Cisco Talos linked to FamousSparrow with high confidence.
In the third wave, the attackers returned again near the end of February 2026 with a modified Deed RAT variant. That version used sentinelonepro[.]com as its command-and-control address, a domain designed to resemble a known security vendor name.
| Wave | Timing | Observed activity |
|---|---|---|
| Wave 1 | December 25, 2025 | Exchange exploitation, web shells, and Deed RAT deployment |
| Wave 2 | Late January or early February 2026 | Attempted Terndoor deployment through DLL sideloading |
| Wave 3 | Late February 2026 | Modified Deed RAT deployment using a new C2 domain |
Why this campaign matters
The operation shows how a known Exchange weakness can remain valuable long after patches become available. The attackers kept returning through the same entry point, which suggests the original access path had not been fully closed.
That pattern creates a major lesson for defenders. Removing malware does not end an intrusion if the vulnerable server remains exposed, credentials remain valid, or web shells stay behind.
The campaign also highlights how espionage groups mix old vulnerabilities with refined malware. In this case, the access path was familiar, but the Deed RAT loader showed active development and stronger evasion logic.
Indicators security teams should review
Security teams should start with the Exchange Server that faced the internet during the campaign window. They should review web shell creation attempts, IIS worker process activity, unusual PowerShell use, and unexpected remote desktop sessions.
Teams should also look for files and domains tied to the Deed RAT and Terndoor activity described by Bitdefender. The presence of these artifacts should trigger a deeper incident response review, not only file removal.
Credential rotation also matters. If attackers reused the same Exchange access path or moved laterally with stolen accounts, patching alone may not remove every foothold.
| Type | Indicator |
|---|---|
| Web shell | key.aspx, log.aspx, errorFE_.aspx, signout_.aspx |
| Loader | LMIGuardianDll.dll |
| Payload file | .hamachi.lng |
| Legitimate binary abused | LMIGuardianSvc.exe |
| Terndoor-related file | winmm.dll |
| Driver artifact | vmflt.sys |
| Command-and-control | virusblocker[.]it[.]com:443, sentinelonepro[.]com:443 |
| Vulnerabilities | CVE-2022-41040 and CVE-2022-41082 |
How organizations should respond
Organizations running Microsoft Exchange Server should confirm that all supported security updates have been applied. They should also check whether old mitigation-only steps were left in place instead of permanent updates.
Security teams should inspect Exchange directories for web shells, review authentication logs, and investigate any PowerShell activity launched by Exchange processes. They should also check for sideloading chains that use trusted binaries with unexpected DLLs nearby.
Energy companies and other critical infrastructure operators should treat this type of activity as espionage-focused persistence. A clean endpoint scan may not reveal the full intrusion if attackers have stolen credentials, planted web shells, or created redundant access points.
- Patch all Microsoft Exchange servers to supported security update levels.
- Search for web shells in public Exchange directories.
- Review IIS logs for suspicious requests and file writes.
- Rotate credentials used on or through the Exchange server.
- Check for suspicious LogMeIn Hamachi-like files and services.
- Investigate unexpected RDP sessions and PowerShell downloads.
- Monitor outbound HTTPS traffic to lookalike security vendor domains.
The FamousSparrow campaign shows why partial remediation can leave organizations exposed. Attackers may return through the same weak point if defenders remove the visible malware but fail to close the original path.
For energy operators, the wider message is clear. Public-facing Exchange servers, remote access paths, and administrative credentials need continuous review because they can give espionage groups a durable route into critical business networks.
FAQ
FamousSparrow is a China-linked advanced persistent threat group associated with cyber espionage. Bitdefender attributed the Azerbaijani oil and gas intrusion to FamousSparrow with moderate-to-high confidence.
Bitdefender said the campaign targeted an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026.
Researchers assessed that the attackers exploited a vulnerable Microsoft Exchange Server using the ProxyNotShell chain, then deployed web shells and malware for persistence.
The campaign used Deed RAT and attempted to deploy Terndoor. The attackers also used web shells, DLL sideloading, and command-and-control domains designed to blend into normal network traffic.
Administrators should apply supported Exchange security updates, search for web shells, rotate exposed credentials, review IIS and PowerShell activity, and investigate any suspicious sideloading chains on affected systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages