A China-affiliated advanced persistent threat group struck the same Azerbaijani oil and gas company three separate times between late December 2025 and late February 2026, reestablishing footholds each time the victim attempted remediation. Researchers at Bitdefender published an analysis of the sustained intrusion campaign attributed to FamousSparrow — also tracked as UAT-9244 — documenting how the group exploited Microsoft Exchange via the ProxyNotShell vulnerability chain, deployed three distinct backdoors, and routed command-and-control traffic through a domain spoofing the SentinelOne brand.
Three-Wave Intrusion: December 2025 Through February 2026
Bitdefender’s analysis tracks three discrete attack waves against the unnamed Azerbaijani energy company, each one representing FamousSparrow reestablishing access after the victim attempted to remove the intrusion.
The first wave began on December 25, 2025. FamousSparrow gained initial access through the ProxyNotShell Exchange exploit chain against the company’s on-premises Exchange server. Once inside, the group installed the Deed RAT backdoor — also known as Snappybee, a successor to the ShadowPad implant used extensively by China-nexus clusters — via DLL side-loading using the legitimate LogMeIn Hamachi binary. Loading malware through a signed, recognized executable allows the malicious DLL to inherit the trust associated with the parent process.
FamousSparrow’s Malware Arsenal: Deed RAT, TernDoor, and Mofu Loader
The second wave arrived in late January and early February 2026, after the victim’s remediation attempt. This time, FamousSparrow deployed TernDoor, a backdoor previously observed in FamousSparrow operations against South American telecom infrastructure dating to 2024. Alongside TernDoor, Bitdefender identified Mofu Loader — a shellcode loader attributed to the GroundPeony cluster, indicating either shared tooling between China-nexus groups or a deliberate attempt to introduce ambiguity into attribution.
The third wave followed in late February 2026. FamousSparrow returned with a modified variant of Deed RAT incorporating enhanced defense evasion through two-stage trigger mechanisms — a more sophisticated version of the implant used in the December intrusion. Each successive wave reflected operational adaptation: after two rounds of victim remediation, the group evolved its tooling specifically to remain persistent in that environment.
SentinelOne Brand Spoofing as FamousSparrow’s C2 Cover
A notable operational security technique observed across the campaign involved command-and-control infrastructure masquerading under the SentinelOne name. FamousSparrow routed C2 traffic through the domain “sentinelonepro[.]com,” designed to resemble legitimate SentinelOne security infrastructure. Network defenders monitoring outbound connections for known malicious domains would not flag traffic to what appears to be a commercial security vendor endpoint — particularly in environments where SentinelOne products are deployed and administrators expect to see related network communication.
The technique represents a pattern increasingly adopted by sophisticated state-sponsored actors: rather than using obviously suspicious domains, they construct infrastructure that mimics trusted security vendors to blend into normal enterprise network traffic.
Azerbaijan Energy Sector as a Strategic Target for China-Nexus APTs
Bitdefender attributed the campaign to FamousSparrow at moderate-to-high confidence, based on tactical patterns and malware signatures consistent with documented FamousSparrow activity. The group carries tactical overlap with Earth Estries and Salt Typhoon — two China-nexus clusters previously linked to critical infrastructure targeting campaigns — though analysts treat them as distinct tracked entities.
Azerbaijan holds elevated strategic value as an energy transit corridor for European supply chains, a position that became more significant following changes to the Russia-Europe gas transit landscape in 2024. An Azerbaijani oil and gas company’s operational data, infrastructure details, and communications represent the kind of intelligence target consistent with state-level strategic collection priorities rather than purely financial motivation.
FamousSparrow’s willingness to conduct three separate re-intrusion operations against a single target — adapting tooling after each remediation round — signals a high-value collection requirement that the group was unwilling to abandon despite detection and response activity by the victim organization.
