Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Home/Threats/Chinese APT Exploits Critical Microsoft Exchange Vulnerability to Breach Energy Sector
Threats

Chinese APT Exploits Critical Microsoft Exchange Vulnerability to Breach Energy Sector

Key Takeaways Chinese state-sponsored APT group FamousSparrow breached an Azerbaijani oil and gas company. The attackers exploited unpatched Microsoft Exchange vulnerabilities (ProxyNotShell:...

Marcus Rodriguez
Marcus Rodriguez
May 14, 2026 3 Min Read
48 0

Key Takeaways

  • Chinese state-sponsored APT group FamousSparrow breached an Azerbaijani oil and gas company.
  • The attackers exploited unpatched Microsoft Exchange vulnerabilities (ProxyNotShell: CVE-2022-41040 and CVE-2022-41082) for initial access.
  • The campaign involved multiple waves of attacks, deploying Deed RAT and Terndoor backdoors with advanced evasion techniques.
  • The intrusion highlights ongoing, persistent threats to critical energy infrastructure.

A sophisticated Chinese state-linked advanced persistent threat (APT) group, identified as FamousSparrow, successfully infiltrated an oil and gas company in Azerbaijan. The attackers leveraged critical, unpatched vulnerabilities within the target’s Microsoft Exchange server to establish a deep and persistent presence, deploying multiple backdoor families. This incident, detailed in a recent security report, underscores the continuous and evolving threat to global critical energy infrastructure.

Table Of Content

  • Key Takeaways
  • Chinese APT Hackers Exploit Microsoft Exchange
  • Initial Compromise and Foothold

The extensive intrusion unfolded over several months, from late December 2025 to late February 2026, and is considered one of the most thoroughly documented Chinese APT campaigns targeting energy assets in the South Caucasus region. For a comprehensive analysis, refer to the full report.

The attackers demonstrated remarkable persistence, returning to the compromised Exchange server three separate times. Each subsequent visit involved new malware families and adjusted tactics, indicating a deliberate and sustained espionage objective rather than a simple opportunistic exploit. This multi-wave approach suggests a high level of dedication to maintaining access despite detection and attempted remediation by defenders.

Researchers at Bitdefender, who meticulously tracked the entire operation, attributed the intrusion to FamousSparrow with moderate-to-high confidence. Their analysis noted significant tactical and technical overlaps with the Earth Estries threat cluster, further solidifying the attribution.

The timing of this attack is particularly noteworthy. Azerbaijan has become an increasingly vital gas supplier for Europe, especially following the expiration of Russia’s Ukraine transit deal in 2024 and recent disruptions in the Strait of Hormuz in early 2026, which have reduced alternative energy sources. This geopolitical context likely heightened the strategic value of the target for state-sponsored espionage.

Chinese APT Hackers Exploit Microsoft Exchange

The initial phase of the operation saw the deployment of two distinct backdoor families: Deed RAT and Terndoor. Attackers also incorporated an advanced DLL sideloading technique designed to bypass automated security analysis, a level of sophistication rarely observed in previous campaigns linked to these malware families.

This layered operation significantly expanded analysts’ understanding of FamousSparrow’s capabilities and its focus on energy sector targets.

Initial Compromise and Foothold

The intrusion began on December 25, 2025, when the Microsoft Exchange Internet Information Services (IIS) worker process attempted to write a web shell to a publicly accessible directory on the server. This action exploited the ProxyNotShell exploit chain, which consists of two critical vulnerabilities: CVE-2022-41040 and CVE-2022-41082. These vulnerabilities permit unauthenticated remote code execution on unpatched Exchange servers.

In the subsequent days, the attackers deployed additional web shells, using filenames such as key.aspx, log.aspx, errorFE_.aspx, and signout_.aspx. These web shells provided a persistent and reliable command-and-control channel for issuing commands and staging further malicious payloads.

A sophisticated three-component malware chain was then introduced, cleverly disguised as the legitimate LogMeIn Hamachi VPN application to evade detection. The loader file,

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerMalwarePatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Sandworm Shifts Focus to Critical OT Assets From IT Systems

Next Post

Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us