{"id":213209,"date":"2026-05-13T09:00:00","date_gmt":"2026-05-13T13:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/13\/azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation\/"},"modified":"2026-05-13T10:35:13","modified_gmt":"2026-05-13T14:35:13","slug":"azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/13\/azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation\/","title":{"rendered":"Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html\">Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html\">https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-13 09:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802May 13, 2026Cyber Espionage \/ Malware<br \/>\nA threat actor with affiliations to China has been linked to a &#8220;multi-wave intrusion&#8221; targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.<br \/>\nThe activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon.<br \/>\nThe attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that&#8217;s used by multiple China-nexus espionage groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024.<\/p>\n<p>What&#8217;s notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry point despite several remediation attempts, swapping backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January\/early February 2026, and a modified Deed RAT in late February 2026. The attackers are assessed to have exploited the ProxyNotShell chain to obtain initial access.<br \/>\n&#8220;This targeting extends the known FamousSparrow victimology into a region where Azerbaijan&#8217;s role in European energy security has materially increased following the 2024 expiration of Russia&#8217;s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions,&#8221; the Romanian cybersecurity company said in a report shared with The Hacker News.<br \/>\n&#8220;The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker&#8217;s ability to return is fully disrupted.&#8221;<\/p>\n<p>The initial access is said to have been followed by attempts to deploy web shells to establish a persistent foothold, and ultimately deploy Deed RAT using an evolved DLL side-loading technique that leverages the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL that&#8217;s responsible for executing the main payload.<br \/>\n&#8220;Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library,&#8221; Bitdefender explained. &#8220;This creates a two-stage trigger that gates the Deed RAT loader&#8217;s execution through the host application&#8217;s natural control flow, further evolving the defense evasion capabilities of traditional DLL side-loading.&#8221;<br \/>\nThe attacks have also been found to conduct lateral movement to broaden their access within the compromised network and establish a redundant foothold to ensure resilience in the event that the activity is detected and removed.<\/p>\n<p>The second wave, on the other hand, took place nearly a month after the initial intrusion, with the adversary attempting to unsuccessfully employ DLL side-loading to drop TernDoor by means of\u00a0Mofu Loader, a shellcode loader previously attributed to GroundPeony.<br \/>\nThe Azerbaijani firm was targeted a third time towards the end of February 2026, when the threat actors once again attempted to deploy a modified version of Deed RAT, indicating active efforts to refine and evolve its malware arsenal. This artifact uses &#8220;sentinelonepro [.]com&#8221; for command-and-control (C2).<br \/>\n&#8220;This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment,&#8221; Bitdefender said. &#8220;Across multiple waves of activity, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html Publish Date: 2026-05-13 09:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":213211,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjOfGXVOYqF2EcrcnYIDCnTYdmWpV-uaZ5nV0_0ukZ8uCk19wFFOax_VvgwO8LtlIkVo8pvcSSBs8Afc66yo2PbiMDjq4UDqnytAqP-Nq8CqTOfEtqwuWRmjbUpRYzqaAXFnRiXozR34fXAPE8O6Gcix6f08Sped3oVUXcjIOTE04N8IInA0qVeG0Sc6LzB\/s1600\/energy-cyberattack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,35,32,34,27],"class_list":["post-213209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-hacker","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213209"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=213209"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213209\/revisions"}],"predecessor-version":[{"id":213212,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213209\/revisions\/213212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/213211"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=213209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=213209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=213209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}