They Came Back. Three Times.

Christmas Day, 2025. While most people were opening presents, hackers were opening a web shell on a Microsoft Exchange server belonging to an unnamed Azerbaijani oil and gas company.

The vulnerability they used — ProxyNotShell — was publicly disclosed in 2022. The CVEs (CVE-2022-41040 and CVE-2022-41082) allow unauthenticated remote code execution on unpatched Exchange servers. By December 2025, that server had been sitting exploitable for over three years.

Researchers at Bitdefender Labs tracked the campaign, attributing it to FamousSparrow — a China-aligned APT group — across three distinct waves of activity between December 2025 and February 2026.

Three Waves, Same Door

Here's what makes this one worth paying attention to: they didn't just break in once. They came back.

Wave one hit on December 25. The attackers used ProxyNotShell to drop a web shell, then deployed Deed RAT — a sophisticated backdoor considered a successor to ShadowPad, one of China's most widely shared espionage tools.

Wave two arrived in late January to early February 2026, this time dropping a different backdoor called TernDoor. Wave three followed in late February with a modified version of Deed RAT — updated, refined, and harder to detect than the first version.

Each time defenders tried to clean up, the attackers found their way back in. Same entry point. New tools. Bitdefender described it as "a sustained and adaptive operation" by an actor "that repeatedly sought to regain and extend access within the victim environment."

The Evasion Upgrade

The technical evolution between waves isn't just interesting — it's the part that should worry defenders.

Bitdefender researchers identified updated magic values in the Deed RAT malware, a shift from Snappy to Deflate compression for plugin decompression, and a sophisticated two-stage DLL sideloading technique designed to evade automated analysis. The malware stayed dormant until the host application completed a specific sequence of internal calls — specifically to bypass sandboxes that analyze code in isolation.

The attackers used a legitimate LogMeIn Hamachi binary to sideload the malware. Trusted software, malicious payload hiding inside it. Classic living-off-the-land technique.

Why Azerbaijan, Why Now

This wasn't random. Following the expiration of Russia's Ukraine gas transit agreement at the end of 2024 and the disruption of Strait of Hormuz shipments in early 2026, Azerbaijan rapidly solidified its position as a strategic energy supplier for Europe, delivering gas to thirteen countries including Germany and Austria.

When energy supply chains shift geopolitically, espionage follows. FamousSparrow's prior victims were mostly telecoms, government agencies, and tech firms across the US, Asia-Pacific, Middle East, and South Africa. This intrusion extends that known targeting map into the South Caucasus energy sector — a region not previously linked to this group in public reporting.

What This Means If You're Not Running an Azerbaijani Oil Rig

The uncomfortable truth here isn't the malware. It's the patch gap.

That Exchange server remained exploitable through at least late February 2026 — more than three years after ProxyNotShell was publicly disclosed. Bitdefender's conclusion was blunt: "Attackers will continue to exploit unpatched servers until they are either patched or taken offline."

If your organization is running internet-facing Exchange servers, the question isn't whether someone has tried this exploit chain. It's whether you'd know if they had

Key Terms

• FamousSparrow — A China-linked APT (Advanced Persistent Threat) group. Also tracked as Earth Estries by some researchers. Known for targeting telecoms, government, and tech sectors globally.
• APT (Advanced Persistent Threat) — A sustained, targeted hacking operation, usually nation-state backed. Goal: stay hidden, collect intelligence long-term.
• ProxyNotShell — Two Microsoft Exchange vulnerabilities (CVE-2022-41040 and CVE-2022-41082) that, chained together, allow remote code execution on unpatched servers. Disclosed publicly in 2022.
• Deed RAT — A modular backdoor malware used by Chinese APT groups. Considered a successor to ShadowPad. Designed for long-term persistent access.
• TernDoor — A separate backdoor deployed in the second wave of this campaign. Less publicly documented than Deed RAT.
• DLL Sideloading — A technique where attackers hide malicious code inside a legitimate application. The trusted app runs, and quietly loads the malware alongside it.
• Web Shell — A script planted on a compromised web-facing server that lets attackers run commands remotely. Think of it as a hidden back door with a keyboard.
• C2 (Command and Control) — The server attackers use to send instructions to malware on a compromised machine. In this campaign, one C2 domain impersonated SentinelOne.
• CVE — Common Vulnerabilities and Exposures. The standard system for naming and tracking publicly known security vulnerabilities.

Sources

• The Hacker News — Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
• Bitdefender Labs — FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
• Security Affairs — FamousSparrow targets Azerbaijani energy sector in multi-wave espionage campaign
• SC Media — China-linked hackers target Azerbaijani oil firm in multi-wave attack
• Industrial Cyber — Bitdefender uncovers FamousSparrow attacks on Azerbaijan energy sector
• Hackread — FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit