FamousSparrow APT Expands Targeting to Azerbaijani Energy Sector

FamousSparrow APT Expands Targeting to Azerbaijani Energy Sector

First seen 13 May 2026, 16:44 UTC Darkreadingwww.welivesecurity.comBitdefenderattack.mitre.orgIndustrialcyber.Co+4 87% similarity 76.2

Article Content

Browse articles
ThreatCluster

FamousSparrow, a China-aligned APT group, launched a multi-wave cyberespionage campaign against an Azerbaijani oil and gas company from late December 2025 to February 2026. The attackers employed an evolved DLL sideloading technique to deploy the Deed RAT and Terndoor backdoors, enhancing their evasion capabilities. This marks a significant expansion of their operations into the South Caucasus, a region critical for European energy security. The campaign demonstrates a strategic persistence, with attackers repeatedly exploiting the same vulnerabilities despite remediation efforts. The tools used in this operation show notable improvements, including a two-stage trigger mechanism for the Deed RAT loader. The targeting of Azerbaijan indicates a shift in Chinese APT activities, previously focused on hospitality and government sectors, now extending into critical infrastructure. The operation highlights the geopolitical implications of cyber threats in contested regions.

Key Points: • FamousSparrow targeted an Azerbaijani oil and gas company from late December 2025 to February 2026. • The group utilized advanced DLL sideloading techniques to deploy Deed RAT and Terndoor backdoors. • This operation marks a significant expansion of Chinese cyber activity into the South Caucasus energy sector.

ThreatCluster AI

Timeline

2021-03-02
CVE-2021-26855 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2021-05-11
CVE-2021-31207 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2021-07-14
CVE-2021-34473 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2021-07-14
CVE-2021-34523 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2022-09-30
CVE-2022-41082 added to CISA KEV
CISA flagged the vulnerability as actively exploited in the wild and added it to the Known Exploited Vulnerabilities catalog.
CISA KEV
2022-09-30
CVE-2022-41040 added to CISA KEV
CISA flagged the vulnerability as actively exploited in the wild and added it to the Known Exploited Vulnerabilities catalog.
CISA KEV
2025-12-01
FamousSparrow begins targeting Azerbaijani energy sector
The APT group initiated a cyberespionage campaign against an oil and gas company, marking a new focus area.
Bitdefender
2026-02-28
Campaign against Azerbaijani firm concludes
The multi-wave intrusion campaign by FamousSparrow against the Azerbaijani oil and gas company ended, revealing advanced tactics.
Industrialcyber.Co
2026-05-13
Bitdefender publishes findings on FamousSparrow
Bitdefender released detailed research on the APT's activities, highlighting the use of advanced DLL sideloading techniques.
Bitdefender
2026-05-14
FamousSparrow's expansion into South Caucasus reported
Reports confirm that FamousSparrow has broadened its targeting to include critical energy infrastructure in Azerbaijan.
Darkreading

Community

Browse all →