FamousSparrow Targets Azerbaijani Oil and Gas Firm in Three-Wave Campaign Using ProxyNotShell, Deed RAT, and Kernel-Level Rootkit

Bitdefender Labs has documented a sustained espionage campaign by Chinese-aligned APT group FamousSparrow against an oil and gas company in Azerbaijan, carried out across three distinct waves between December 2025 and February 2026. The campaign marks a strategic pivot for the group toward South Caucasus energy infrastructure and demonstrates how determined nation-state actors will repeatedly exploit the same access vector when defenders fail to patch.

The first wave began on December 25, 2025, when the attackers exploited ProxyNotShell to compromise the target's Microsoft Exchange server. Initial access led to DLL sideloading — the attackers used a legitimate binary (LMIGuardianSvc.exe) to load a malicious library (lmiguardiandll.dll) that activated the SNAPPYBEE backdoor, also tracked as Deed RAT. This gave the attackers persistent remote control over the compromised environment.

When the target attempted to clean its systems, the attackers simply returned through the same unpatched Exchange server. This cycle repeated three times across two months — a stark demonstration that malware removal without patching the initial access vector is functionally useless against a persistent adversary.

The second wave in January 2026 introduced Terndoor, a new backdoor deployed via the Mofu loader — an obfuscated stager that concealed malicious instructions in memory to bypass antivirus detection. Once active, Terndoor installed a driver named vmflt.sys and registered a service in the Windows registry at HKLM\SYSTEM\ControlSet001\Services\vmflt, establishing a kernel-level rootkit that gave the attackers deep system control. From there, the group used Impacket and RDP to harvest administrator credentials and move laterally across the network.

The third wave in late February saw FamousSparrow deploy an updated Deed RAT variant. Files were staged in C:\Recovery and the malware communicated with a C2 domain designed to mimic legitimate security traffic — sentineloneprocom — making exfiltration blend in with routine software update patterns. This version injected into standard Windows processes including SearchIndexer.exe and dwm.exe, using AES-CBC and RC4 encryption to protect its configuration.

The deployment of two distinct backdoor families across three waves, combined with the persistent return to the same entry point despite remediation attempts, reflects both technical versatility and strategic patience characteristic of Chinese state-sponsored operations.

Defensive Guidance:

The central lesson here is unambiguous: patch public-facing Exchange servers. The attackers exploited the same ProxyNotShell vulnerability three times because the defender removed malware but left the door open. Organizations running on-premises Exchange should verify they are current on all cumulative updates and security patches. Monitor for DLL sideloading involving LMIGuardianSvc.exe and suspicious driver installations creating new services under HKLM\SYSTEM\ControlSet001\Services. Hunt for C2 traffic to domains mimicking legitimate security vendors. Watch for Impacket usage and lateral movement via RDP following initial compromise. Implement API hooking detection to identify attackers intercepting internal system communications for persistence.