Recent findings from Bitdefender Labs reveal that the hacking group FamousSparrow, believed to be linked to China, executed a targeted attack against an Azerbaijani energy company utilizing ProxyNotShell, Deed RAT, and Terndoor malware across three distinct waves.
According to a newly published report by Bitdefender Labs, a series of coordinated cyberattacks aimed at an oil and gas firm in Azerbaijan were carried out from December 2025 to February 2026 by the China-aligned group FamousSparrow. This shift in focus toward South Caucasus energy infrastructure marks a significant strategic pivot for the group.
The Attack Cycle
Bitdefender’s Martin Zugec provides detailed insights into the attack cycle, revealing that the campaign unfolded in three separate phases, with the initial wave commencing on December 25, 2025. During this phase, attackers exploited the ProxyNotShell vulnerability to infiltrate the company’s Microsoft Exchange server. They employed a sophisticated logic gate technique to deliver malware undetected.
Modus operandi included DLL sideloading, where the hackers manipulated a legitimate application, LMIGuardianSvc.exe, to execute a malicious file, lmiguardiandll.dll. This maneuver activated the SNAPPYBEE backdoor (also known as Deed RAT), granting the attackers remote access to the compromised systems.
Even as the organization attempted to eliminate the malware, the attackers repeatedly exploited the same unpatched vulnerability on three occasions within two months. This reiterates the critical point that addressing malware alone is insufficient if the initial pathways for exploitation remain unaddressed.
Gaining Deep Access
The second wave of attacks, observed in January 2026, involved the deployment of a tool named Terndoor. To circumvent antivirus defenses, the hackers utilized a Mofu loader, an obfuscated gadget that concealed the malware’s commands within the host computer’s memory. Once operational, Terndoor installed a driver called vmflt.sys.
This driver creation involved incorporating a new service within the Windows registry at HKLM\SYSTEM\ControlSet001\Services\vmflt, enabling the establishment of a rootkit and granting the attackers deep, elevated control over the system. Employing the Impacket toolkit alongside Remote Desktop Protocol (RDP), the attackers managed to harvest administrative passwords, facilitating lateral movement throughout the network.
Attackers’ Evolving Tactics
This domain choice appeared to mimic legitimate security communication, rendering the malicious activity indistinguishable from routine software updates. The new version of the malware adeptly concealed itself within standard Windows processes like SearchIndexer.exe and dwm.exe, employing AES-CBC and RC4 encryption to obscure its configuration.
Researchers emphasized that the operation’s complexity is highlighted by the use of two distinct backdoor families, Deed RAT and Terndoor, deployed through three different attack waves. This tactical diversity, paired with a clear persistence as evidenced by repeated access attempts to the same vulnerable Microsoft Exchange server, underscores the need for robust cybersecurity measures. The findings illustrate that relentless attackers do not merely execute hit-and-run tactics—they continually adapt and return to exploit vulnerabilities.
The primary takeaway from this research is the imperative of instituting timely patches for public-facing software like Microsoft Exchange, in conjunction with consistent monitoring for API hooking—a method that enables attackers to intercept internal system communications for sustained control.
(Photo by Zbynek Burival on Unsplash)