Imagine a security analyst at an Azerbaijani energy firm breathing a sigh of relief after patching a critical Microsoft Exchange Server vulnerability. Two weeks later, the same attacker is back, using the same unpatched entry point as if nothing happened. This scenario is not hypothetical. Between December 2025 and February 2026, a China-nexus threat group known as FamousSparrow hit an unnamed oil and gas company in Azerbaijan three times, each time swapping out its backdoor while exploiting the same vulnerable Exchange server. These azerbaijan exchange exploits highlight a disturbing trend: persistent threat actors who treat a single vulnerability as a revolving door until every possible access path is fully severed.
The Anatomy of the Azerbaijan Exchange Exploits
The campaign unfolded across three distinct waves, each carrying a different malware payload. The attackers first breached the firm’s network on December 25, 2025, deploying a backdoor called Deed RAT (also known as Snappybee), a sophisticated successor to the ShadowPad malware. Nearly a month later, in late January 2026, they returned with a second backdoor named TernDoor, which had previously been observed targeting telecommunications infrastructure in South America. The third wave hit in late February 2026, deploying a modified version of Deed RAT. Despite the victim’s remediation attempts, the same Microsoft Exchange Server entry point was exploited in every wave.
Three Waves, Two Backdoors, One Entry Point
What makes these azerbaijan exchange exploits particularly troubling is the attacker’s discipline. They did not merely probe for new vulnerabilities or pivot to different servers. Instead, they re-used the exact same vulnerable Exchange Server that had been left exposed — likely because the initial ProxyNotShell chain was never fully patched or the remediation was incomplete. Bitdefender, the cybersecurity firm that analyzed the intrusion, noted that the actor revisited the same access path after each round of patching, indicating that the original vulnerability remained exploitable or that credentials were not rotated.
How Deed RAT and TernDoor Were Deployed
The initial access relied on the ProxyNotShell exploit chain, a well-known set of Microsoft Exchange vulnerabilities that allow remote code execution. After gaining entry, the attackers attempted to deploy web shells to maintain a persistent foothold. Ultimately, they used an evolved DLL side-loading technique that leverages the legitimate LogMeIn Hamachi binary to load a malicious DLL, which in turn executed the Deed RAT payload. The second wave’s attempt to drop TernDoor via DLL side-loading failed, but the third wave successfully deployed a modified Deed RAT using a command-and-control domain at sentinelonepro[.]com. The variety of payloads and the ability to switch between them demonstrate a high level of operational flexibility.
Why Azerbaijan Became a Target
Azerbaijan’s role in European energy security has grown sharply since the 2024 expiration of Russia’s Ukraine gas transit agreement and the 2026 Strait of Hormuz disruptions. This geopolitical shift makes the country’s energy infrastructure a prime target for espionage and potential sabotage. FamousSparrow, which shares tactical overlaps with groups like Earth Estries and Salt Typhoon, has historically focused on government and telecommunications targets. The move into the energy sector in Azerbaijan marks an expansion of its victimology, aligning with broader state-level interests in controlling energy supply chains.
Geopolitical Energy Shifts
The timing of the attacks is no coincidence. With Europe scrambling to diversify its natural gas sources after the Russian pipeline routes were cut, Azerbaijan has become a critical alternative supplier. Any intelligence on the operational capabilities, reserves, or infrastructure vulnerabilities of Azerbaijani energy firms is highly valuable to state actors. This intrusion should not be viewed as an isolated compromise, but as a sustained operation aimed at gathering strategic intelligence over a prolonged period.
Expansion of FamousSparrow Victimology
FamousSparrow has a known history of targeting diplomatic entities, hospitality services, and government agencies in the Middle East and Asia. The decision to target an Azerbaijani energy firm suggests a deliberate reorientation toward energy sector targets in regions where geopolitical tensions are high. Bitdefender assessed with moderate-to-high confidence that the group is behind these azerbaijan exchange exploits. This is a clear sign that threat actors from state-aligned groups are willing to invest time and resources to breach high-value targets even after initial failures.
Persistence Despite Patching: A Security Nightmare
For incident response teams, the idea of an attacker returning through the same door after a patch is applied is a worst-case scenario. It suggests that either the vulnerability was never truly fixed, the compromised credentials were not rotated, or the attacker had established a hidden persistence mechanism that survived remediation. In the case of these azerbaijan exchange exploits, the ProxyNotShell vulnerability was likely not fully closed after the first wave, allowing the threat actor to bypass the patch or exploit a secondary vector.
The ProxyNotShell Vulnerability
ProxyNotShell refers to a chain of vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) that allow authenticated attackers to execute arbitrary code and access sensitive data. Although these flaws were disclosed in 2022, many organizations have been slow to apply the cumulative updates required to fully mitigate them. The attackers in this campaign assessed that the target had not applied the necessary patches, or that the patches had been overridden by later updates or misconfigurations. This is a common problem in enterprise environments where patch management is complex and often incomplete.
The Challenge of Full Remediation
When a threat actor has moved laterally and deployed multiple backdoors, simply patching the initial entry point is insufficient. The attacker often leaves behind web shells, scheduled tasks, or alternative C2 channels that allow them to regain access even after the original vulnerability is closed. In this campaign, the adversary actively conducted lateral movement and established redundant footholds. To fully eradicate the intrusion, the victim would need to perform a complete forensic analysis, rotate all credentials, rebuild compromised systems, and monitor for signs of re-entry — a process that can take weeks.
You may also enjoy reading: Congress Investigates Canvas Breach After ShinyHunters Deal.
Technical Deep Dive: The DLL Side-Loading Technique
One of the most striking aspects of this campaign is the use of an advanced DLL side-loading method to deploy Deed RAT. Standard DLL side-loading typically involves placing a malicious DLL file in a directory where a legitimate executable will attempt to load it. This technique remains effective, but many modern security products now detect such file placements. The attackers in this campaign took it a step further by overriding two specific exported functions within the malicious library, creating a two-stage trigger that only activates during the host application’s natural control flow.
Evolution Beyond Standard Side-Loading
The attackers used the legitimate LogMeIn Hamachi binary as the host application. Hamachi is a widely used virtual private network (VPN) tool, which often escapes suspension or flagging by endpoint detection and response (EDR) systems. By replacing a benign DLL that Hamachi would normally load with a malicious one, the attacker could execute the Deed RAT loader without triggering typical behavioral alerts. The two-stage trigger ensures that the malicious code runs only when Hamachi calls those specific functions, making the attack appear as legitimate software behavior.
The LogMeIn Hamachi Binary Exploit
The method overrides two exported functions within the rogue DLL. When the Hamachi application calls those functions during its normal operation, the malicious code is executed, launching the Deed RAT payload. This technique is a significant evolution because it bypasses many signature-based detection tools and even some behavior-based monitoring. For security analysts, detecting such attacks requires deep inspection of DLL load requests and exported function calls, which is not commonly done in automated scanning. The attackers demonstrated a high level of sophistication in evading defenses.
Lessons for Energy Sector Cybersecurity
Energy firms around the world can draw several practical lessons from these azerbaijan exchange exploits. The most important is that a single patch is rarely enough to stop a determined adversary. Attackers will probe the same vulnerability repeatedly, especially if they suspect that the remediation was incomplete. Organizations must adopt a comprehensive incident response playbook that includes credential rotation, thorough system reimaging, and extended monitoring for at least several weeks after an initial breach.
Beyond Patching: Defense in Depth
Relying on patching as the sole defense against Exchange Server vulnerabilities is dangerous. Energy sector companies should implement network segmentation to limit lateral movement, deploy web application firewalls to filter malicious traffic, and use endpoint detection and response tools that can identify anomalous DLL side-loading behaviors. Additionally, regular vulnerability scanning should be paired with penetration testing to ensure that patches are applied correctly and that no residual vulnerabilities remain.
Monitoring for Re-Exploitation
One of the most effective methods to counter re-exploitation is to monitor for attempts to access the same vulnerability after a patch has been applied. This can be done by logging failed authentication attempts, scanning for web shell artifacts, and tracking known C2 domains used by the threat group. In this campaign, the use of sentinelonepro[.]com as a C2 domain in the third wave is a clear indicator. Sharing such indicators with cybersecurity firms and industry information-sharing groups can help other organizations defend against similar attacks.
The repeated exploitation of the same Exchange server entry point in this campaign serves as a stark reminder that persistence often outpaces prevention. Threat actors like FamousSparrow are willing to return again and again, refining their tools each time. For energy sector firms, especially those in geopolitically sensitive regions, the cost of continuous vigilance is high, but the cost of a successful, sustained intrusion is far higher.
