Bitdefender linked a multi-wave intrusion against an Azerbaijani oil and gas company to FamousSparrow, a China-nexus threat actor, with repeated exploitation of the same Microsoft Exchange Server entry point. The campaign used changing payloads including Deed RAT and TernDoor, alongside web shells, lateral movement, and refined DLL side-loading to maintain persistent access. #FamousSparrow #UAT9244 #DeedRAT #TernDoor #ProxyNotShell
Keypoints
- FamousSparrow was linked to a multi-wave intrusion against an Azerbaijani oil and gas company.
- The attackers reused the same Microsoft Exchange Server vulnerability after remediation attempts.
- ProxyNotShell was reportedly used to gain initial access.
- The campaign deployed Deed RAT and TernDoor across separate waves.
- The actors used web shells, DLL side-loading, and lateral movement to maintain persistence.
Read More: https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html