```html ```
top of page

FamousSparrow Hit Azerbaijan's Oil and Gas Sector Through Exchange. The C2 Was in Our Feed Since May 14 — Two Months Before the Report Named It.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 day ago
  • 4 min read

Bitdefender published a multi-wave intrusion this week against an Azerbaijani oil and gas company, running from late December 2025 through late February 2026. The credit for the analysis is theirs, and it is careful work — three waves, two backdoor families, and a nice piece of DLL-sideloading tradecraft we will walk through. We want to add one thing to it, because we can: the hard-coded command-and-control domain the primary backdoor calls home to was already sitting in our feed on May 14, unattributed, at moderate confidence — roughly two months before this report gave it a name and a campaign.


That is the whole point of running a feed. You do not always know what an indicator is when you catch it. You just need to be carrying it before it matters.



Get the attribution right first


The wire coverage of this campaign has been loose with the name. Some outlets filed it under Salt Typhoon. That is not what the primary research says. Bitdefender attributes this activity, with moderate-to-high confidence, to FamousSparrow — the crew that overlaps with the Earth Estries ecosystem. The Salt Typhoon thread exists but it is narrow: Cisco Talos linked one of the two backdoors, TernDoor, back to Salt Typhoon infrastructure. An overlap in one tool is not an attribution of the whole operation. If you are going to brief this upstairs, brief it as FamousSparrow with a TernDoor overlap into Salt Typhoon, not as Salt Typhoon proper. The difference matters when someone asks you why the telecom-focused crew is suddenly in an oil field.


And that is the real story under the malware: a China-nexus actor whose historical targeting sat in government, hospitality, and telecom is now inside South Caucasus energy. Azerbaijan is a supply line into European energy markets. When a state-aligned crew re-tools to sit quietly inside that supply line, the tooling is the footnote and the target selection is the headline.



How they got in


Initial access was Microsoft Exchange — the ProxyShell and ProxyNotShell exploit chains, the same on-premises Exchange weaknesses that have been feeding intrusions since 2021. From the web shell they established a foothold, ran commands, and moved to backdoor deployment. Post-compromise they abused RDP to reach secondary servers, compromised an administrator account, and used Impacket for lateral movement. When defenders removed the first-stage malware, the actor simply came back through the same Exchange door and redeployed. Three waves, same entry point.


If your Exchange is still on-premises and still exposed, this is your reminder that ProxyShell and ProxyNotShell never stopped paying out. They are half a decade old and they are still the front door for a nation-state energy-sector intrusion in 2026.



The tradecraft worth learning: sideloading that hides in control flow


The two payloads are Deed RAT and TernDoor, delivered through DLL sideloading. But this was not the lazy kind. Ordinary sideloading swaps a legitimate DLL for a malicious one and lets the loader run on load. This operation overrode two specific exported functions inside the malicious library, so the Deed RAT loader only fires when the host application calls through those functions in its natural execution path. That is a two-stage trigger gated by the legitimate program's own control flow — quieter, and harder for a naive scanner that only checks whether a DLL was replaced.


Deed RAT itself hid in a folder impersonating a LogMeIn Hamachi install and persisted as a service masquerading as Hamachi at startup. On disk during the second wave it showed up as a file at the USOShared path — USOShared.exe — with the MD5 762f787534a891eca8aa9b41330b4108. TernDoor arrived about a month after the first malware was cleaned, which is how you know they never lost their foothold.



The receipt, stated honestly


Here is the part we can add. Deed RAT initiates an HTTPS GET to a hard-coded host on port 443: sentinelonepro.com. It is a typosquat of SentinelOne, which is the kind of name that only makes sense if you are trying to look like security telemetry in someone's egress logs.


That domain is in our corpus. It was ingested into our indicators on May 14, 2026, at confidence 70, through our STIX aggregation — and we are going to be precise about what that means, because a ledger that inflates its wins is a marketing document, not a memory. We did not independently discover this domain and we did not attribute it in May. It came in through feed aggregation as a suspicious indicator with no malware family and no actor attached. What we can say plainly is this: a customer pulling our blocklist would have been dropping traffic to that command-and-control host since the middle of May, two months before Bitdefender's report told the world what it was. Early and unattributed still beats late and named, if the goal is to keep the connection from completing.


The honest miss beside it: the file hash, MD5 762f787534a891eca8aa9b41330b4108, was not in our corpus. We had the network indicator and not the host artifact. That is the gap, named. We have since taken the domain and re-asserted it with the FamousSparrow attribution and full confidence so it stays live on the feed rather than aging out.



What to do with this


If you run on-premises Exchange, treat ProxyShell and ProxyNotShell as live, not historical, and confirm your patch state today. Hunt for a service impersonating LogMeIn Hamachi that you did not install, and for the USOShared.exe artifact at the ProgramData path. Block egress to sentinelonepro.com — it is a security-vendor typosquat, there is no legitimate reason for it in your logs. And if you are in the energy sector anywhere along a European supply line, understand that the crews you filed under "telecom problem" have re-tooled toward you.


We have written the Chinese-APT-into-critical-infrastructure story before — the Typhoon family IOCs, Salt Typhoon in Washington, MuddyWater's Iranian analog dressing espionage as ransomware. This is the same shape from a different sparrow. The door is Exchange. The goal is to sit quietly inside the thing that keeps the lights on. Watch the door, not the actor.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page