The China-linked threat actor FamousSparrow exploited the ProxyNotShell vulnerability chain in Microsoft Exchange Server to gain initial access to an Azerbaijani oil and gas firm, deploying multiple backdoors (Deed RAT and TernDoor) across three waves. The attackers demonstrated high persistence by repeatedly re-entering the network despite remediation efforts and used an evolved DLL side-loading technique abusing the legitimate LogMeIn Hamachi binary for evasion. This campaign represents a significant expansion of the group's targeting into critical energy infrastructure.
Critical Infrastructure Security China-linked hackers target Azerbaijani oil firm in multi-wave attack May 14, 2026 Share By SC Staff (Adobe Stock) As reported by The Hacker News, a China-affiliated threat actor, identified as FamousSparrow, has conducted a sophisticated, multi-wave cyberattack against an unnamed Azerbaijani oil and gas company. The intrusions, spanning from late December 2025 to late February 2026, represent a significant expansion of the group's known targeting, according to Bitdefender. The attackers exploited a vulnerable Microsoft Exchange Server, specifically the ProxyNotShell chain, to gain initial access. Despite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves. Initially, Deed RAT, a successor to ShadowPad, was deployed on December 25, 2025. This was followed by TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026. The campaign utilized advanced techniques, including an evolved DLL side-loading method leveraging the legitimate LogMeIn Hamachi binary to evade defenses. The targeting is significant given Azerbaijan's increased role in European energy security. The sustained nature of the operation, with repeated attempts to regain access and introduce new payloads, highlights the actor's persistence and adaptive capabilities. Source: The Hacker News SC Staff Related Supply chain RubyGems pauses new account sign-ups amid major malicious attack SC Staff May 13, 2026 The attack has led to the involvement of hundreds of packages, with many directly targeted and some containing exploits. Identity ‘Mini’ Shai-Hulud attack compromises hundreds of npm, PyPI packages Steve Zurier May 12, 2026 Teams warn the latest Shai-Hulud wave weaponizes trusted OIDC tokens to bypass package integrity checks. Identity SailPoint GitHub repo hit by third-party cyberattack Steve Zurier May 11, 2026 SailPoint says GitHub repo breach exposed no customer data or production systems. Related Events Cybercast State of Critical Infrastructure Security Thu Jun 11 Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Virtual Conference Securing the Backbone: Strategies to Counter Cyber Threats to Critical Infrastructure in the Public Sector On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds