Bitdefender says it has identified what it describes as a cyber-espionage campaign linked to the China-aligned threat group FamousSparrow, marking the first documented instance of the group targeting energy infrastructure in the South Caucasus.
In a research release, the company said the activity involved a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and late February 2026. Bitdefender said the campaign indicates a shift from FamousSparrow’s previously known focus on telecoms, government and technology, extending into the energy sector.
The report places the intrusion in the context of geopolitical pressure on global energy supply chains, citing Azerbaijan’s growing role as an energy supplier to Europe following the expiration of Russia’s Ukraine gas transit agreement, as well as ongoing disruptions in the Strait of Hormuz.
Bitdefender said the attackers exploited vulnerabilities in a Microsoft Exchange server to gain initial access and returned repeatedly over a two-month period, even after remediation efforts. The company said three waves of activity included deployment of multiple backdoor families, including Deed RAT and Terndoor.
According to Bitdefender, one technical development was an updated Deed RAT variant using a DLL sideloading technique designed to delay execution until legitimate application processes were running. The firm said this “execution gating” method can help evade traditional detection tools.
The research also highlights what Bitdefender characterised as a broader defensive issue: attackers repeatedly re-entering through the same initial access point after an organisation attempts remediation, rather than relying on new vulnerabilities.
Bitdefender advised critical infrastructure operators to prioritise patching of internet-facing systems, implement continuous monitoring for anomalous activity, and assume breach to support rapid detection and response. The full research report is available on Bitdefender’s Business Insights site.
