A threat actor with suspected ties to China has been implicated in a "multi-wave intrusion" against an Azerbaijani oil and gas company between late December 2025 and late February 2026. This campaign signifies a notable expansion in the group's targeting scope. **FamousSparrow** (aka UAT-9244), has been attributed by **Bitdefender** with moderate-to-high confidence. The group shares tactical overlaps with clusters tracked as Earth Estries and Salt Typhoon. The attacks involved the deployment of two distinct backdoors across three separate waves: **Deed RAT** (aka Snappybee), a successor of ShadowPad used by multiple China-nexus espionage groups, and **TernDoor**, recently discovered in attacks targeting telecommunications infrastructure in South America since 2024. ### Persistent Exploitation of Microsoft Exchange Vulnerability Notably, the campaign repeatedly leveraged the same vulnerable **Microsoft** Exchange Server entry point despite remediation attempts. The attackers swapped backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026. The attackers are believed to have exploited the ProxyNotShell chain to gain initial access. "This targeting extends the known FamousSparrow victimology into a region where Azerbaijan's role in European energy security has materially increased following the 2024 expiration of Russia's Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions," **Bitdefender** stated in their report. "The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker's ability to return is fully disrupted."  ### Advanced DLL Side-Loading Techniques Initial access was followed by attempts to deploy web shells for persistent access and ultimately deploy Deed RAT using an evolved DLL side-loading technique. This technique leverages the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL responsible for executing the main payload. "Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library," **Bitdefender** explained. "This creates a two-stage trigger that gates the Deed RAT loader's execution through the host application's natural control flow, further evolving the defense evasion capabilities of traditional DLL side-loading." The attacks also involved lateral movement to broaden access within the compromised network and establish redundant footholds. The second wave, nearly a month after the initial intrusion, saw the adversary attempting to deploy TernDoor via Mofu Loader, a shellcode loader previously attributed to GroundPeony, using DLL side-loading. The Azerbaijani firm was targeted a third time towards the end of February 2026, with threat actors attempting to deploy a modified version of Deed RAT, indicating efforts to refine their malware arsenal. This artifact uses "sentinelonepro [.]com" for command-and-control (C2). ### Sustained and Adaptive Operation "This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment," **Bitdefender** concluded. "Across multiple waves of activity, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline."