FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit

Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT, and Terndoor malware across three persistent waves.

A new research report from Bitdefender Labs reveals a hacking campaign against an oil and gas firm in Azerbaijan, which was carried out in phases between December 2025 and February 2026. Researchers have attributed it to the China-aligned group FamousSparrow. The notable aspect of their research is the group’s sudden change in strategic interest, with the South Caucasus energy infrastructure becoming its latest target.

The Attack Cycle

According to research details shared by Bitdefender’s Martin Zugec, the campaign involved three distinct waves of activity, the first of which began on 25 December 2025. In this wave, the hackers used a vulnerability called ProxyNotShell to gain access to the company’s Microsoft Exchange server. To stay undetected, the group used a clever logic gate ...