New research from Bitdefender detailed targeting an Azerbaijani oil and gas company in a multi-wave cyberespionage campaign that ran from late December 2025 through February 2026 by a China-linked APT (advanced persistent threat) group known as FamousSparrow. The operation marks an expansion of Chinese cyber activity into the South Caucasus energy sector, a strategically sensitive region positioned between Iran, Turkey, and Russia.
The attackers used an evolved DLL sideloading technique designed to evade sandbox analysis and deployed updated variants of the Deed RAT malware for persistent access inside the victim environment. Bitdefender attributed the activity to FamousSparrow with moderate-to-high confidence, noting overlaps with the Earth Estries threat ecosystem. The campaign adds to a growing body of evidence showing FamousSparrow broadening its targeting beyond hospitality, telecom, and government entities into critical energy infrastructure.
“Unlike standard DLL sideloading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library,” Bitdefender researchers wrote in a Wednesday blog post. “This creates a two-stage trigger that gates the Deed RAT loader’s execution through the host application’s natural control flow, further evolving the defense evasion capabilities of traditional DLL sideloading.”
Bitdefender said that while Russia-aligned espionage campaigns have expanded westward from Central Asia, China-linked activity is now emerging in the South Caucasus, with attackers targeting energy infrastructure in a region that has grown in strategic importance to European energy security since 2025. Intrusion also expands the known operational footprint of the FamousSparrow group, which had previously been linked to attacks on telecom, government, and technology organizations across the U.S., Asia-Pacific, the Middle East, and South Africa.
Beyond the delivery mechanism, they added that the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity. This technical variety is matched by a strategic persistence, evidenced by the attackers’ repeated return to the same vulnerable Microsoft Exchange server entry point despite multiple remediation attempts.
“This targeting extends the known FamousSparrow victimology into a region where Azerbaijan’s role in European energy security has materially increased following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions,” the post detailed. “The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker’s ability to return is fully disrupted.”
The campaign also revealed significant evolution in the group’s Deed RAT malware toolchain. Researchers identified updated magic values, a shift from Snappy to Deflate compression for plugin decompression, and a sophisticated two-stage DLL sideloading technique designed to evade automated analysis. The malware remained dormant until the host application completed a specific sequence of internal calls, allowing it to bypass sandboxes that analyze code in isolation.
Researchers highlighted attackers’ persistence and operational discipline. Over two months, the group repeatedly regained access through the same Microsoft Exchange entry point while rotating malware families, including Deed RAT, a failed Terndoor deployment attempt, and a modified Deed RAT variant. The repeated re-entry and tooling changes pointed to a sustained espionage operation with redundant persistence mechanisms and willingness to adapt tooling mid-operation, rather than merely an opportunistic compromise.
Bitdefender noted that a separation between preparation and execution introduces a dependency on the normal behavior of the host application, effectively gating the malicious logic behind a legitimate execution path. The payload will only run if the application follows the expected sequence of calls, meaning that partial or out-of-context execution is unlikely to trigger it.
“From an analysis perspective, this has clear implications,” the post identified. “In many sandbox or automated triage environments, the DLL may be executed on its own, a single export may be invoked, or the full application workflow may not be reproduced. Under those conditions, the malware appears largely inactive. The hook may be installed, but without the subsequent API call, the loader is never reached and the payload remains concealed.”
In this way, Bitdefender observed that the malware implicitly validates its execution context. “Rather than relying on explicit anti-analysis checks (checking for virtual machines, debuggers, hooks, usernames, or process lists), it ensures that its behavior is only exposed when it is exercised in the same way as the legitimate application. This reduces the likelihood of accidental activation during superficial analysis and makes the sample significantly less revealing in incomplete environments.”
After establishing persistence on the initial compromised host, the attackers expanded laterally across the environment using Remote Desktop Protocol and a domain administrator account, indicating they had already obtained highly privileged credentials. They opened an interactive PowerShell session and manually deployed the Deed RAT malware on a second server to create an additional persistence point. From there, the attackers used Impacket-associated tools such as atexec and smbexec over SMB and Windows admin shares to spread to additional systems, demonstrating a deliberate effort to maintain resilient and redundant access within the network.
At some stage, Bitdefender said that remediation actions were taken and the malware was removed from at least one affected system. “However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.”
In the final wave of activity at the end of February, the attackers redeployed Deed RAT using the same execution chain observed earlier in the intrusion, but with a modified configuration that suggested ongoing adjustments to their tooling while maintaining a trusted access path. The updated variant used sentinelonepro[.]com over HTTPS on port 443 for command-and-control communications, with all malware components relocated to the C:Recovery directory.
Organizations should immediately patch internet-facing services, particularly Microsoft Exchange servers vulnerable to ProxyShell and ProxyNotShell exploits that have been publicly documented since 2021 and 2022. Attackers continue to target unpatched systems, and where immediate patching is not possible, Exchange servers should be segmented to prevent a compromise from leading to domain-wide access.
Researchers also emphasized the need for runtime behavioral monitoring because signature-based detection is often ineffective against fileless execution, DLL sideloading, and malware loaders that activate only through legitimate application workflows. Defenders should monitor for suspicious API hooking at the kernel level, since legitimate applications rarely patch system API entry points outside of signed system components or approved security tools.
The report further recommended monitoring for lateral movement through Remote Desktop Protocol and SMB-based remote execution tools. Unusual RDP sessions using domain administrator credentials outside normal maintenance windows should trigger alerts, while the use of Impacket tools such as atexec, smbexec, or PsExec should be logged and reviewed because they are uncommon in standard business operations. Researchers also warned that compromised administrator credentials must be rotated immediately after remediation because attackers frequently reuse stolen credentials to regain access even after malware has been removed.
In conclusion, Bitdefender said the intrusion should not be viewed as an isolated breach, but as a sustained and adaptive espionage operation in which the attackers repeatedly regained and expanded access inside the victim environment. Across multiple waves of activity, the group reused the same access path, deployed new payloads, and established additional footholds, demonstrating persistence and strong operational discipline.
The research also adds new insight into the group’s malware ecosystem by documenting a detailed Deed RAT deployment and loading chain, identifying implementation changes that distinguish the latest samples from previously known variants, and showing how a second-wave payload linked to Terndoor was staged through a Mofu loader chain. Together, the findings highlight the evolving nature of the operation and reinforce the need for organizations to treat such intrusions as long-term campaigns rather than one-time incidents.
