Chinese APT FamousSparrow Weaponizes Evolved Deed RAT Against Azerbaijani Energy Infrastructure

A relentless cyber-espionage operation has targeted an Azerbaijani oil and gas company, demonstrating that advanced persistent threats (APTs) will systematically hammer the same vulnerability until their access is completely broken.

A newly released technical report from Bitdefender Labs has exposed a highly persistent, multi-wave intrusion spanning from late December 2025 through late February 2026. Attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow (which closely overlaps with the Earth Estries threat ecosystem), the campaign marks a significant geopolitical and technical shift.

“This research documents expansion of Chinese APT activity against South Caucasus energy infrastructure,” the report states, highlighting a crucial development in a region whose strategic importance to European energy security has surged.

The timing of the attack coincides with a critical bottleneck in European energy pipelines following the late-2024 expiration of Russia’s Ukraine gas transit agreement and subsequent maritime transit disruptions in 2026. As Azerbaijan expanded its reach to supply 13 European countries, it positioned itself as a prime target for foreign intelligence gathering.

While the operation relied on standard entry vectors—specifically exploiting unpatched Microsoft Exchange servers via the ProxyNotShell exploit chain to drop web shells—the execution of their payloads revealed a highly sophisticated defensive evasion tactic. Instead of relying on standard DLL sideloading where a payload executes immediately upon loading, FamousSparrow engineered an elaborate two-stage trigger designed specifically to blind automated analysis environments and security sandboxes.

The primary backdoor, Deed RAT, was staged using a legitimate LogMeIn Hamachi binary (LMIGuardianSvc.exe) along with a malicious loader (LMIGuardianDll.dll) and an encrypted payload file. When the executable launches, the loader’s initial Init export does not activate the malware. Instead, it quietly patches the Windows StartServiceCtrlDispatcherW API in memory to establish a dormant hook.

The loader then steps out of the way, allowing the legitimate application to continue its natural control flow until it hits a separate export called ComMain. Only when ComMain eventually hits the patched service dispatcher is execution transparently diverted into the payload launcher.

“The payload will only run if the application follows the expected sequence of calls, meaning that partial or out-of-context execution is unlikely to trigger it.”

By forcing the host binary to follow its complete startup sequence, the malware implicitly validates its context, ensuring that automated malware sandboxes looking at the DLL in isolation see absolutely no malicious behavior.

Security administrators at the energy firm attempted remediation multiple times, yet the adversaries repeatedly broke back into the network.

• Wave 1 (Late December 2025): Initial access via ProxyNotShell, dropping web shells and deploying Deed RAT disguised inside LogMeIn Hamachi directories.
• Wave 2 (Late January 2026): After defenders disrupted the initial backdoor, the attackers returned to the exact same Exchange entry point. This time, they attempted to deploy an entirely different backdoor family—the kernel driver-backed Terndoor—delivered via a shellcode routine matching the Mofu loader. Although enterprise defenses blocked this wave, memory forensics exposed an RC4 encryption implementation that perfectly matched historical Terndoor fingerprints.
• Wave 3 (Late February 2026): Leveraging their persistent access, the threat actors returned to deploy a refined version of Deed RAT featuring an entirely rewritten configuration. This final variant shifted its command-and-control infrastructure to use sentinelonepro[.]com:443 over HTTPS, masquerading as a trusted security vendor to sneak its traffic past network logs.

“The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker’s ability to return is fully disrupted.”

To counteract these stealthy side-loading tactics, Bitdefender Labs recommends implementing real-time memory scanning to detect unauthorized memory protection changes (VirtualProtect calls) and tracking suspicious service creation events—specifically looking for kernel drivers pointing to user-writable paths like C:\ProgramData or C:\Temp.