Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The China-linked FamousSparrow APT group (also tracked as UNC2286, GhostEmperor, RedMike, Operator Panda, Earth Estries, and Salt Typhoon) conducted a sophisticated multi-wave intrusion campaign against an Azerbaijani oil and gas company between late December 2025 and late February 2026. First observed on December 25, 2025, the FamousSparrow operation targeted the South Caucasus energy sector across Armenia, Azerbaijan, and Georgia, focusing specifically on critical energy infrastructure with strategic importance to European gas supply chains.
The FamousSparrow threat actors repeatedly exploited the same unpatched Microsoft Exchange Server using the ProxyNotShell vulnerability chain (CVE-2022-41040 combined with CVE-2022-41082) to deploy ASPX web shells and establish persistent access to the Azerbaijani oil and gas company network. Across three distinct attack waves spanning two months, the FamousSparrow APT deployed Deed RAT (also known as Snappybee), Terndoor backdoors, and Mofu loader malware to maintain persistent control over compromised Windows systems within the energy company infrastructure.
The FamousSparrow intrusion campaign is particularly notable for demonstrating an evolved DLL sideloading technique that splits malicious logic across two separate DLL exports to gate malware execution behind the host application’s natural control flow, effectively defeating automated sandbox analysis and triage systems. The sustained FamousSparrow operation across multiple remediation cycles demonstrates exceptional operational discipline and strategic targeting, extending the threat group’s known targeting footprint into the South Caucasus energy sector, a region of growing strategic importance to European energy security and gas supply diversification efforts.
The FamousSparrow APT intrusion targeting an Azerbaijani oil and gas company began on December 25, 2025, when the Microsoft Exchange IIS worker process attempted to write a malicious web shell into a publicly accessible directory on the victim’s Exchange server. The command line execution carried the MSExchangePowerShellAppPool argument, indicating FamousSparrow exploitation of the ProxyNotShell vulnerability chain combining CVE-2022-41040 and CVE-2022-41082 to achieve remote code execution on the unpatched Exchange server.
Across December 25, 26, and 29, the FamousSparrow attackers staged multiple ASPX web shells on the compromised Exchange server, then deployed the Deed RAT malware using a three-component infection chain consisting of the legitimate LogMeIn Hamachi binary, the malicious loader lmiguardiandll.dll, and the encrypted payload container file .hamachi.lng. The FamousSparrow operators relocated these components to C:\Program Files (x86)\LogMeIn Hamachi to mimic a legitimate LogMeIn Hamachi VPN installation, and registered a Windows service named “LogMeIn Hamachi” configured to automatically launch LMIGuardianSvc.exe at system startup for persistence.
The FamousSparrow DLL sideloading mechanism represents an evolution of standard DLL hijacking techniques, with malicious logic split across two separate DLL exports (Init and ComMain) embedded within the host application’s normal control flow to evade sandbox detection. The Init export temporarily relaxes memory protections to patch the StartServiceCtrlDispatcherW Windows API function for call redirection, then cleanly exits. When the legitimate service control flow later invokes the ComMain export and reaches the patched API function, execution is diverted into the FamousSparrow loader, which restores the original API bytes and decrypts the .hamachi.lng payload using AES-128-CBC encryption.
The decrypted FamousSparrow shellcode resolves Windows APIs via ELF hash comparison, decrypts the orchestrator component using RC4 encryption, and decompresses it with RtlDecompressBuffer (LZNT1 compression) before transferring execution to the Deed RAT main module, identified by the updated magic value 0xFF66ABCD (previously 0xDEED4554 in older Deed RAT variants). The FamousSparrow orchestrator loads plugins including Startup, Config, Plugin, Network, NetSocket, NetProxy, Install, and Inject, which are decrypted with a custom PRNG XOR routine and decompressed with Deflate compression, representing a switch from Snappy compression in older Deed RAT variants. The first-wave FamousSparrow command-and-control communications operated over HTTPS, with process injection targeting SearchIndexer.exe, taskeng.exe, iexplore.exe, and taskhost.exe processes.
With FamousSparrow persistence established on the initial Exchange server, the attackers pivoted to a second host via Remote Desktop Protocol using a compromised domain administrator account, indicating prior credential theft from the Azerbaijani oil and gas company Active Directory environment. The FamousSparrow operators launched a PowerShell console and manually staged LMIGuardianSvc.exe and companion malware files within minutes to create a redundant foothold on the second compromised system, then used Impacket-style atexec and smbexec utilities over SMB protocol to reach a third machine within the energy company network.
Approximately one month later, the FamousSparrow operators returned through the same unpatched Exchange server entry point and attempted to deploy the Terndoor backdoor using it to sideload a malicious winmm.dll from C:\ProgramData\USOShared. The loader was identified as Mofu Loader (previously attributed to GroundPeony threat group) based on its characteristic NOP+CALL prologue and subtract-XOR-add decryption routine, which produces an LZNT1-compressed portable executable with stripped MZ/PE headers. The FamousSparrow Terndoor backdoor attempted to register a kernel driver service on the compromised system, but security tooling blocked the installation; however, recovered strings showed encrypted on-stack storage decoded via single-byte XOR and an RC4 implementation with a hardcoded key whose fingerprint matched UAT-9244 malware samples.
The final FamousSparrow attack wave in late February 2026 saw Deed RAT redeployed through the same DLL sideloading execution chain with a refreshed operational configuration designed to evade detection following previous remediation attempts. The FamousSparrow command-and-control infrastructure rotated to sentinelonepro[.]com:443 masquerading as legitimate SentinelOne security software, all malware components relocated to C:\Recovery directory, the Windows service renamed to “HamachiNet”, the mutex identifier updated to HJKMNbxzcv9876asdfghj, the RSA public key rotated for encrypted communications, and process injection retargeted at wininit.exe and dwm.exe alongside SearchIndexer.exe and taskhost.exe processes.
The FamousSparrow configuration data was stored under HKCU\SOFTWARE\Microsoft\LogMeIn Hamachi registry key, with a HamachiNet entry added to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence across system reboots. Across all three FamousSparrow attack waves, the threat actors preserved persistent access through multiple security remediation cycles by swapping between Deed RAT and Terndoor backdoors while continuously reusing the same unpatched Microsoft Exchange server entry point, indicating sustained espionage operations with exceptional operational discipline rather than opportunistic compromise of the Azerbaijani oil and gas infrastructure.
Apply Microsoft security updates for CVE-2022-41040 and CVE-2022-41082 immediately on all on-premises Microsoft Exchange 2013, 2016, and 2019 deployments to remediate the ProxyNotShell vulnerability chain. ProxyNotShell has been patched since November 2022, and unpatched Exchange servers remain a primary entry point for FamousSparrow operations targeting energy sector organizations.
Alert on w3wp.exe writing .aspx files to publicly accessible Exchange directories, particularly under the MSExchangePowerShellAppPool application pool context. Legitimate Exchange maintenance operations rarely write web-accessible script files through the IIS worker process, making this behavior a strong indicator of FamousSparrow initial compromise activity.
Monitor for modifications to the first bytes of frequently abused Windows API functions including StartServiceCtrlDispatcherW, NtCreateFile, CreateProcessW, and LdrLoadDll. Unsigned binaries applying API hooks to these functions should trigger immediate investigation as this technique is characteristic of FamousSparrow evolved DLL sideloading malware.
Alert on service creation events where Type=1 (kernel driver) and ImagePath points to non-standard locations such as C:\ProgramData or C:\Temp directories. Legitimate kernel drivers are installed through signed INF files into C:\Windows\System32\drivers, making installations to alternate paths indicative of FamousSparrow Terndoor malware deployment attempts.
Capture and review use of atexec, smbexec, and PsExec tools across the organizational environment. These tools are rarely used in legitimate workflows outside of IT administration and represent strong indicators of FamousSparrow hands-on-keyboard lateral movement activity within compromised energy infrastructure.
Deploy in-memory YARA scanners and memory forensics capabilities to detect characteristic FamousSparrow Deed RAT patterns, including the magic values 0xFF66ABCD, 0xDEED4554, and 0x46B78C45, LZNT1-compressed payloads following RC4 decryption, and ELF hash-based API resolution techniques used by the malware.
Initial Access: T1190 (Exploit Public-Facing Application)
Persistence: T1505.003 (Web Shell), T1543.003 (Windows Service), T1547.001 (Registry Run Keys / Startup Folder)
Execution: T1569.002 (Service Execution), T1059.001 (PowerShell)
Defense Evasion: T1574.002 (DLL Side-Loading), T1140 (Deobfuscate/Decode Files or Information), T1562 (Impair Defenses), T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1014 (Rootkit), T1036.005 (Match Legitimate Resource Name or Location)
Credential Access: T1078.002 (Domain Accounts)
Lateral Movement: T1021.001 (Remote Desktop Protocol), T1021.002 (SMB/Windows Admin Shares)
Discovery: T1016 (System Network Configuration Discovery)
Resource Development: T1583.001 (Domains)
Command and Control: T1071.001 (Web Protocols), T1573.002 (Asymmetric Cryptography)
Malicious File Paths: C:\TEMP\LMIGuardianSvc.exe, C:\TEMP\lmiguardiandll.dll, C:\TEMP.hamachi.lng, C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe, C:\ProgramData\USOShared\USOShared.exe, C:\ProgramData\USOShared\winmm.dll, C:\ProgramData\USOShared\vmflt.sys, C:\Recovery\ (Wave 3 staging directory)
Web Shell Filenames: key.aspx, log.aspx, errorFE_.aspx, signout_.aspx, xboxs.sys
Registry Keys: HKLM\SYSTEM\CurrentControlSet\Services\vmflt\Type (value: 1), HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HamachiNet, HKCU\SOFTWARE\Microsoft\LogMeIn Hamachi
Command-and-Control Domains: virusblocker[.]it[.]com, sentinelonepro[.]com
Command-and-Control URLs: hxxps[:]//virusblocker[.]it[.]com/12156011215601, hxxps[:]//sentinelonepro[.]com
Mutex Identifiers: HJBNDusadnfy3278rnhsdaf, HJKMNbxzcv9876asdfghj
Service Names: LogMeIn Hamachi, HamachiNet, vmflt
Magic Values: 0xFF66ABCD, 0xDEED4554, 0x46B78C45
MD5 Hashes: 0554f3b69d39d175dd110d765c11347a, 762f787534a891eca8aa9b41330b4108, 505b55c2b68e32acb5ad13588e1491a5
Microsoft Security Response Center – CVE-2022-41040 ProxyNotShell Advisory
Microsoft Security Response Center – CVE-2022-41082 ProxyNotShell Advisory
Bitdefender – FamousSparrow APT Targets Azerbaijani Oil & Gas Industry
Bitdefender GitHub – FamousSparrow Indicators of Compromise
HivePro – Salt Typhoon Cyber Attacks Hit 200 Organizations in the United States
Get through updates and upcoming events, and more directly in your inbox