Chinese APT Group Exploits Microsoft Exchange to Infiltrate Energy Sector Networks
A sophisticated Chinese state-sponsored hacking group, identified as FamousSparrow, has orchestrated a prolonged cyber-espionage campaign targeting an Azerbaijani oil and gas company. By exploiting unpatched Microsoft Exchange servers, the attackers successfully implanted multiple backdoors, maintaining persistent access from late December 2025 through late February 2026. This incident stands as one of the most detailed Chinese Advanced Persistent Threat (APT) intrusions into energy infrastructure within the South Caucasus region.
Persistent and Evolving Attack Strategies
The attackers demonstrated remarkable persistence, returning to the compromised Exchange server on three separate occasions. Each visit involved deploying different malware families and adapting their tactics in response to the defenders’ remediation efforts. This adaptability underscores a deliberate and sustained espionage campaign rather than an opportunistic breach.
Researchers at Bitdefender, who closely monitored the operation, attributed the intrusion to FamousSparrow with moderate-to-high confidence. They noted significant overlaps with the Earth Estries threat cluster, suggesting a coordinated effort among Chinese APT groups.
Exploitation of Microsoft Exchange Vulnerabilities
The initial breach occurred on December 25, 2025, when the attackers exploited the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) in Microsoft Exchange servers. These vulnerabilities allowed unauthenticated remote code execution, enabling the attackers to implant web shells into publicly accessible directories on the server. Files such as key.aspx, log.aspx, errorFE_.aspx, and signout_.aspx were used to establish a foothold for issuing commands and staging further payloads.
Deployment of Advanced Malware and Evasion Techniques
Following the initial compromise, the attackers deployed a sophisticated three-component malware chain disguised as the legitimate LogMeIn Hamachi VPN application. This approach aimed to reduce suspicion and evade detection. The loader file, LMIGuardianDll.dll, was placed alongside a genuine LogMeIn binary and sideloaded during normal startup. The Deed RAT payload was stored in an encrypted file named .hamachi.lng, decrypted in memory using AES-128 and RC4 encryption algorithms. To ensure persistent access, a Windows service mimicking LogMeIn Hamachi was created to auto-launch the malware upon system restart.
A notable aspect of this campaign was the evolved DLL sideloading technique used to conceal the Deed RAT loader. Unlike typical sideloading methods that trigger malicious code upon DLL loading, this version split its logic across two export functions named Init and ComMain. This sophisticated approach was designed to defeat automated security analysis tools, highlighting the attackers’ advanced capabilities.
Implications for the Energy Sector
The timing of this intrusion is particularly significant, as Azerbaijan has become a critical gas supplier for Europe following the expiration of Russia’s Ukraine transit deal in 2024 and disruptions in the Strait of Hormuz in early 2026. The targeted attack on an Azerbaijani oil and gas company underscores the strategic importance of energy infrastructure and the lengths to which state-sponsored actors will go to infiltrate and monitor such critical sectors.
Recommendations for Mitigation
Organizations, especially those within the energy sector, should take the following steps to mitigate similar threats:
1. Patch Management: Regularly update and patch all software, particularly critical systems like Microsoft Exchange servers, to close known vulnerabilities.
2. Network Segmentation: Implement network segmentation to limit the spread of malware and restrict unauthorized access to sensitive systems.
3. Monitoring and Detection: Deploy advanced monitoring tools to detect unusual activities, such as the creation of unexpected web shells or unauthorized services.
4. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
5. User Training: Conduct regular cybersecurity awareness training for employees to recognize phishing attempts and other common attack vectors.
By implementing these measures, organizations can enhance their resilience against sophisticated cyber threats and protect their critical infrastructure from state-sponsored attacks.
