Back

FamousSparrow APT Targets Azerbaijani Oil and Gas Sector

Severity: High (Score: 75.5)

Sources: attack.mitre.org, www.welivesecurity.com, Bitdefender, businessinsights.bitdefender.com, Darkreading

Summary

The FamousSparrow APT group has launched a multi-wave cyber intrusion against an Azerbaijani oil and gas company, with attacks occurring from late December 2025 to late February 2026. This operation marks the first known targeting of Azerbaijan's energy sector by Chinese-linked actors, previously focused on telecoms and government sectors. The attackers employed an advanced DLL sideloading technique that enhances their ability to evade detection, utilizing two distinct backdoor families: Deed RAT and Terndoor. Despite multiple remediation attempts, the attackers maintained access through a vulnerable Microsoft Exchange server. The operation reflects a strategic shift as Chinese APTs expand their influence in regions traditionally dominated by Russian cyber operations. The tools used in the attack showed significant improvements, complicating detection efforts. The incident underscores the growing geopolitical tensions in the South Caucasus, particularly as energy supplies become increasingly critical for Europe. Key Points: • FamousSparrow APT targeted an Azerbaijani oil and gas firm from late December 2025 to February 2026. • The attackers used advanced DLL sideloading techniques to evade defenses and deploy remote access tools. • This operation signifies a shift in Chinese cyber operations into regions previously dominated by Russian influence.

Key Entities

  • Agrius (apt_group)
  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • Apt32 (apt_group)
  • Apt38 (apt_group)
  • Fin13 (malware)
  • Cutting Edge (malware)
  • Antak (malware)
  • AntSword (malware)
  • ASPXSpy (malware)
  • Versa Director (platform)
  • Apache (platform)
  • DotNetNuke (platform)
  • IIS (platform)
  • Internet Information Services (platform)
  • Malware (attack_type)
  • C0032 Campaign (campaign)
  • Leviathan Australian Intrusions (campaign)
  • Operation Digital Eye (campaign)
  • Operation Wocao (campaign)
  • SharePoint ToolShell Exploitation (campaign)
  • Armenia (country)
  • Austria (country)
  • Azerbaijan (country)
  • China (country)
  • Georgia (country)
  • CVE-2021-26855 (cve)
  • CVE-2021-31207 (cve)
  • CVE-2021-34473 (cve)
  • CVE-2021-34523 (cve)
  • CVE-2022-41040 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • news.com (domain)
  • runner.ec (domain)
  • runner.lk (domain)
  • webshell.se (domain)
  • Energy (industry)
  • Financial (industry)
  • 0554f3b69d39d175dd110d765c11347a (md5)
  • 505b55c2b68e32acb5ad13588e1491a5 (md5)
  • 762f787534a891eca8aa9b41330b4108 (md5)
  • T1055 - Process Injection (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Nginx (tool)
  • Certutil.exe (tool)
  • Invoke-BadPotato (tool)
  • LogMeIn Hamachi (tool)
  • PowerHub (tool)
  • Blackbyte (ransomware_group)
  • BAED2895C80EB6E827A6D47C3DD7B8EFB61ED70B (sha1)
  • ProxyLogon (vulnerability)
  • ProxyNotShell (vulnerability)
  • ProxyShell (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed