Deep Persistence: Analyzing FamousSparrow’s Targeted Espionage Campaign in the South Caucasus
In a sophisticated display of long-term strategic positioning, state-aligned Chinese threat actors have successfully compromised a major energy firm via a vulnerable Microsoft Exchange server.
Rather than pursuing a “smash-and-grab” data theft or a disruptive ransomware deployment, the attackers utilized this initial entry point to maintain a multi-month espionage operation, embedding themselves deep within the network architecture through the deployment of the Deed RAT and Terndoor backdoors.
Cybersecurity investigators attribute this activity with moderate-to-high confidence to FamousSparrow, an Advanced Persistent Threat (APT) cluster known for tactical overlaps with other prominent groups such as Earth Estries and Salt Typhoon. The campaign is characterized by its extreme patience and focus on high-value intelligence gathering rather than immediate financial gain.
The geopolitical implications of this intrusion are profound. The targeting of an energy company within the South Caucasus corridor is highly strategic; as Europe seeks to diversify its energy sources away from Russian transit routes, Azerbaijan’s role as a critical gas supplier has surged. By gaining visibility into these energy flows, the attackers secure a window into European energy security during a period of intense global volatility.

The technical intrusion sequence began on December 25, 2025. Analysis of the w3wp.exe (IIS worker process) revealed an attempt to write an ASPX web shell into a public directory while operating under the MSExchangePowerShellAppPool. This specific behavior is a hallmark of the ProxyNotShell exploit chain. Bitdefender researchers uncovered this multi-wave intrusion, noting that it marks a significant expansion of Chinese APT operations into the Azerbaijani energy sector.
To harden their foothold, the actors deployed several web shells with deceptively benign filenames, including key.aspx, log.aspx, errorFE.aspx, and signout.aspx. These shells acted as persistent command-and-control (C2) nodes, allowing the attackers to stage malware payloads directly from the compromised Exchange environment.
Sophisticated Malware Toolchains: Deed RAT and Terndoor
In the initial phase of the campaign, FamousSparrow utilized a highly evolved DLL sideloading technique to deploy the Deed RAT. This involved abusing the legitimate LogMeIn Hamachi service. The attackers used the trusted binary LMIGuardianSvc.exe to load a malicious DLL (LMIGuardianDll.dll), which subsequently decrypted and executed an encrypted payload file (.hamachi.lng).

What sets this loader apart from standard sideloading is its implicit anti-analysis layer. The logic is split across two exported functions—Init and ComMain—meaning the malicious payload only triggers once the host application completes its standard startup routine and calls a specific, patched Windows API. This prevents automated sandboxes from detecting the threat, as they often execute DLLs in isolation without simulating the full application lifecycle.
Evidence of continuous development was also observed; the group updated their toolchain by migrating plugin compression from Snappy to Deflate and updating magic constants (e.g., 0xFF66ABCD). The payload decryption process relies on a custom Pseudo-Random Number Generator (PRNG) to create a unique XOR decryption byte stream, adding another layer of complexity for forensic analysts.

Once the Deed RAT was active, it provided the attackers with modular capabilities, including configuration management, network proxying, and process injection. C2 communications were often masked as legitimate HTTPS traffic to domains impersonating security vendors, such as sentinelonepro[.]com.
Following a partial remediation effort by defenders, the attackers launched a second wave. They returned to the exact same Exchange vulnerability to deploy the Terndoor backdoor via the Mofu loader. This second attempt involved sideloading a malicious DLL through a renamed deskbandinjector64.exe and attempting to install a kernel-mode driver (vmflt.sys) to establish rootkit-level persistence.
While security controls intercepted this specific driver installation, memory forensics successfully recovered Mofu-style shellcode. This shellcode decrypted an LZNT1-compressed PE payload identified as Terndoor, a finding consistent with Cisco Talos’ UAT-9244 reporting regarding similar actor behaviors.
Lateral Movement and Defensive Recommendations
The attackers demonstrated advanced lateral movement capabilities, leveraging Remote Desktop Protocol (RDP) with stolen domain administrator credentials. They further propagated the Deed RAT across the environment using Impacket-style techniques, specifically atexec and smbexec, ensuring redundant access points that made total eviction extremely difficult.
Immediate Action Items for Security Teams:
- Patch Management: Prioritize immediate patching or strict network isolation of all Microsoft Exchange servers to mitigate ProxyShell and ProxyNotShell vulnerabilities.
- Endpoint Monitoring: Monitor IIS worker processes (
w3wp.exe) for unauthorized file writes, particularly ASPX files in web-accessible directories. - Sideloading Detection: Audit for unusual DLL loading patterns involving signed, legitimate binaries and monitor for suspicious kernel-driver services in non-standard paths.
- Identity Security: Watch for anomalous RDP sessions, specifically those that immediately spawn PowerShell or attempt to drop executables.
- Incident Response: If Deed RAT or Terndoor activity is detected, treat the event as a persistent espionage campaign. This requires a full credential rotation for all high-privilege accounts and deep memory/network forensics to ensure complete eviction.