China-Linked FamousSparrow Conducts Multi-Wave Attack Against Azerbaijani Oil and Gas Firm Using ProxyNotShell Chain
A China-linked advanced persistent threat (APT) group identified as FamousSparrow carried out sustained cyber operations against an oil and gas company in Azerbaijan, deploying a combination of the ProxyNotShell exploit chain alongside custom malware tools Deed RAT and Terndoo across three distinct attack waves. The findings mark one of the most detailed documented campaigns attributed to the threat actor, highlighting a focused interest in the Caspian region's energy sector infrastructure.
Security researchers tracking the group observed the attack sequence unfold with high specificity. The initial compromise leveraged vulnerabilities in Microsoft Exchange servers through the ProxyNotShell attack chain, a technique previously associated with multiple APT actors but increasingly linked to Chinese-state-aligned operations. Once inside the target network, the operators deployed Deed RAT for persistent remote access and Terndoo, a lesser-known backdoor that provided secondary foothold capabilities. The three-wave structure suggests careful operational security practices, with the threat actor adjusting tactics between each intrusion phase to evade detection.
The targeting of an Azerbaijani oil and gas entity raises strategic concerns beyond immediate operational impact. Energy infrastructure in the Caspian basin has become a focal point for state-sponsored cyber operations, with multiple threat clusters from different geopolitical alignments showing sustained interest in the sector. Organizations operating in hydrocarbon production, pipeline logistics, and related critical infrastructure across the region face elevated risk of similar reconnaissance and intrusion campaigns. Security teams are advised to prioritize patching of Microsoft Exchange vulnerabilities, monitor for Deed RAT and Terndoo indicators of compromise, and review network logs for patterns consistent with multi-wave intrusion methodologies.