China-linked FamousSparrow spent three months breaking back into an Azerbaijani oil and gas company through the same Microsoft Exchange flaw - first known China APT hit on South Caucasus energy

Bitdefender researchers documented a China-linked espionage group called FamousSparrow repeatedly compromising an Azerbaijani oil and gas company between late December 2025 and late February 2026. Each time the victim cleaned up, the attackers came back through the same unpatched Microsoft Exchange Server and dropped a new backdoor - first Deed RAT (a ShadowPad relative used by several Chinese groups), then TernDoor. The group overlaps with the Earth Estries cluster, which itself overlaps with Salt Typhoon. This is the first time FamousSparrow has been seen targeting South Caucasus energy infrastructure, a region whose role in supplying gas to Europe grew sharply after Russia's Ukraine transit deal expired.

Check

Audit Microsoft Exchange Server patch status across the estate, hunt for DLL sideloading patterns where signed executables load suspicious libraries, and search proxy and DNS logs for connections to sentinelonepro[.]com.

Affected

Internet-exposed Microsoft Exchange Server instances. Energy sector organizations operating in or partnering with Azerbaijan, Armenia, and Georgia, plus their European downstream gas customers.

Fix

Patch Exchange to the current security update and confirm ProxyNotShell-class fixes are applied. Rotate credentials exposed during prior intrusions, hunt for Deed RAT and TernDoor IoCs from Bitdefender's report, and block sentinelonepro[.]com.