Back

FamousSparrow APT Expands Targeting to Azerbaijani Energy Sector

Severity: High (Score: 76.2)

Sources: Bitdefender, www.welivesecurity.com, Darkreading, businessinsights.bitdefender.com, attack.mitre.org

Summary

FamousSparrow, a China-aligned APT group, launched a multi-wave cyberespionage campaign against an Azerbaijani oil and gas company from late December 2025 to February 2026. The attackers employed an evolved DLL sideloading technique to deploy the Deed RAT and Terndoor backdoors, enhancing their evasion capabilities. This marks a significant expansion of their operations into the South Caucasus, a region critical for European energy security. The campaign demonstrates a strategic persistence, with attackers repeatedly exploiting the same vulnerabilities despite remediation efforts. The tools used in this operation show notable improvements, including a two-stage trigger mechanism for the Deed RAT loader. The targeting of Azerbaijan indicates a shift in Chinese APT activities, previously focused on hospitality and government sectors, now extending into critical infrastructure. The operation highlights the geopolitical implications of cyber threats in contested regions. Key Points: • FamousSparrow targeted an Azerbaijani oil and gas company from late December 2025 to February 2026. • The group utilized advanced DLL sideloading techniques to deploy Deed RAT and Terndoor backdoors. • This operation marks a significant expansion of Chinese cyber activity into the South Caucasus energy sector.

Key Entities

  • Agrius (apt_group)
  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • Apt32 (apt_group)
  • Apt38 (apt_group)
  • Fin13 (malware)
  • Cutting Edge (malware)
  • Antak (malware)
  • AntSword (malware)
  • ASPXSpy (malware)
  • Versa Director (platform)
  • Apache (platform)
  • DotNetNuke (platform)
  • IIS (platform)
  • Internet Information Services (platform)
  • Malware (attack_type)
  • C0032 Campaign (campaign)
  • Leviathan Australian Intrusions (campaign)
  • Operation Digital Eye (campaign)
  • Operation Wocao (campaign)
  • SharePoint ToolShell Exploitation (campaign)
  • Armenia (country)
  • Austria (country)
  • Azerbaijan (country)
  • China (country)
  • Georgia (country)
  • CVE-2021-26855 (cve)
  • CVE-2021-31207 (cve)
  • CVE-2021-34473 (cve)
  • CVE-2021-34523 (cve)
  • CVE-2022-41040 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • news.com (domain)
  • runner.ec (domain)
  • runner.lk (domain)
  • sentinelonepro.com (domain)
  • webshell.se (domain)
  • Energy (industry)
  • Financial (industry)
  • 0554f3b69d39d175dd110d765c11347a (md5)
  • 505b55c2b68e32acb5ad13588e1491a5 (md5)
  • 762f787534a891eca8aa9b41330b4108 (md5)
  • T1021 - Remote Services (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Nginx (tool)
  • Atexec (tool)
  • Certutil.exe (tool)
  • Impacket (tool)
  • Invoke-BadPotato (tool)
  • Blackbyte (ransomware_group)
  • BAED2895C80EB6E827A6D47C3DD7B8EFB61ED70B (sha1)
  • ProxyLogon (vulnerability)
  • ProxyNotShell (vulnerability)
  • ProxyShell (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed