Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

By The Hacker News
Publication Date: 2026-05-13 13:00:00

Ravie LakshmananMay 13, 2026Cyber Espionage / Malware

A threat actor with affiliations to China has been linked to a “multi-wave intrusion” targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.

The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon.

The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that’s used by multiple China-nexus espionage groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024.

Cybersecurity

What’s notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry…