FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit

Bitdefender Labs documents a three-wave intrusion by the China-linked FamousSparrow group against an Azerbaijani energy firm (Dec 2025–Feb 2026). Attackers exploited the ProxyNotShell Microsoft Exchange vulnerability, used DLL sideloading to deploy Deed RAT, and later introduced Terndoor via the Mofu loader with a vmflt.sys rootkit to gain deep persistence; they also used Impacket and RDP for credential theft and lateral movement. The campaign showed strategic persistence—repeatedly reusing the same unpatched Exchange entry point—and the researchers recommend patching public-facing Exchange servers and monitoring for API hooking and other indicators of compromise.