China-Linked FamousSparrow Repeatedly Exploited Same Microsoft Exchange Flaw Against Azerbaijani Energy Firm

TL;DR Bitdefender attributed a three-wave intrusion against an unnamed Azerbaijani oil and gas company to FamousSparrow, a China-affiliated group, between late December 2025 and late February 2026. The attackers exploited the ProxyNotShell chain on Microsoft Exchange Server multiple times despite remediation efforts, deploying Deed RAT and TernDoor backdoors across the campaign. The persistent reuse of the same vulnerability despite patching attempts highlights a critical gap between vulnerability remediation and full attacker removal.

What happened

Between late December 2025 and late February 2026, an unnamed Azerbaijani oil and gas company suffered three separate intrusion waves conducted by FamousSparrow (also tracked as UAT-9244), a threat group with China affiliations. Bitdefender attributed the activity with moderate-to-high confidence.

The attackers exploited the ProxyNotShell chain on Microsoft Exchange Server to obtain initial access. Notably, they returned to the same vulnerable entry point across all three waves despite the organization's remediation efforts, redeploying malware each time the previous payload was removed.

First wave (December 25, 2025): After initial compromise, the attackers deployed web shells and then Deed RAT, a successor to ShadowPad. The malware was delivered via an evolved DLL side-loading technique leveraging the legitimate LogMeIn Hamachi binary. Unlike standard DLL side-loading, this method overrides two specific exported functions within the malicious library, creating a two-stage trigger that executes through the host application's normal control flow. The attackers conducted lateral movement to expand their foothold within the network.

Second wave (late January/early February 2026): Nearly a month later, the adversary attempted to deploy TernDoor using DLL side-loading via Mofu Loader, a shellcode loader previously attributed to GroundPeony. This deployment was unsuccessful.

Third wave (late February 2026): The attackers returned again, this time deploying a modified variant of Deed RAT configured to use "sentinelonepro[.]com" for command-and-control communications. This iteration reflected efforts to refine the malware arsenal.

FamousSparrow shares tactical overlap with clusters tracked as Earth Estries and Salt Typhoon. TernDoor was previously identified in attacks against telecommunications infrastructure in South America since 2024, indicating the group's broader operational scope.

Why it matters

This campaign demonstrates a sustained exploitation pattern that defenders must understand: patching a vulnerability does not guarantee attacker removal. The organization patched Microsoft Exchange yet remained compromised, allowing reinfection through the same path.

For energy sector defenders in the MENA region, this case is relevant to infrastructure resilience. The timing—targeting Azerbaijan's expanded role in European energy security following Russia's Ukraine gas transit agreement expiration in 2024—suggests geopolitical motivation and indicates that energy firms remain high-value targets for state-nexus groups.

The evolved DLL side-loading technique shows ongoing refinement of defense evasion. The multi-wave approach with redundant footholds reflects operational discipline: if one payload is detected and removed, the attacker maintains access through alternative backdoors and lateral movement positions.

For SOC analysts, this underscores that incident response must include full credential rotation, removal of all web shells and attacker-installed tools, and verification that legitimate applications (like LogMeIn Hamachi) are not being abused for malware delivery.

Affected systems and CVEs

Microsoft Exchange Server – exploited via ProxyNotShell chain; specific CVE identifiers not disclosed at the time of publication
Deed RAT (Snappybee) – successor to ShadowPad; deployed across waves one and three
TernDoor – attempted deployment in wave two; previously observed targeting South American telecommunications
LogMeIn Hamachi – legitimate binary abused for DLL side-loading
Mofu Loader – used to attempt TernDoor deployment

No CVE assigned at the time of publication for the ProxyNotShell exploitation.

What to do

Patch the original Microsoft Exchange vulnerability and verify the patch is applied to all instances
Rotate all potentially compromised credentials across the organization
Conduct full forensic analysis to identify and remove all web shells, backdoors, and attacker-installed tools
Deploy or enhance web shell detection and prevention controls
Review logs for lateral movement indicators, particularly authentication events and unusual privileged activity
Monitor for outbound connections to "sentinelonepro[.]com" and other known FamousSparrow C2 infrastructure
Implement network segmentation to limit lateral movement if re-compromise occurs

Open questions

Which specific CVE identifiers correspond to the ProxyNotShell vulnerabilities exploited in this campaign?
What is the identity of the targeted Azerbaijani oil and gas company?
Were all attacker footholds successfully removed after each wave, or did some persist undetected?
What is the current status of the compromise—is the organization still monitored or considered fully remediated?
How many hosts were affected by lateral movement, and which business functions were accessible to the attackers?
Why did the TernDoor deployment in wave two fail, and was this due to defensive action or technical error?
What additional backdoors or access mechanisms may remain undetected in the environment?