The repeated exploitation of Microsoft Exchange at an Azerbaijani oil and gas company shows how persistent threat actors operate when remediation is incomplete. The campaign, attributed by Bitdefender with moderate-to-high confidence to FamousSparrow, reportedly unfolded in multiple waves between late December 2025 and late February 2026, using the same Exchange entry point while switching payloads between Deed RAT and TernDoor. This is a strong reminder that patching alone is not always enough after compromise. Organizations must also remove web shells, rotate credentials, check lateral movement, and validate that the attacker’s return paths have been closed.

A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of

Source: Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation via The Hacker News — published 13 May 2026.