{"id":245156,"date":"2026-05-13T09:00:00","date_gmt":"2026-05-13T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/13\/azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation\/"},"modified":"2026-05-13T10:50:06","modified_gmt":"2026-05-13T14:50:06","slug":"azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/13\/azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation\/","title":{"rendered":"Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation"},"content":{"rendered":"

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html<\/a><\/p>\n

Publish Date: 2026-05-13 09:00:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 13, 2026<\/span><\/span>Cyber Espionage \/ Malware<\/span><\/p>\n

A threat actor with affiliations to China has been linked to a “multi-wave intrusion” targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.<\/p>\n

The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow<\/strong> (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon.<\/p>\n

The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that’s used by multiple China-nexus espionage groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024.<\/p>\n

What’s notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry point despite several remediation attempts, swapping backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January\/early February 2026, and a modified Deed RAT in late February 2026. The attackers are assessed to have exploited the ProxyNotShell chain to obtain initial access.<\/p>\n

“This targeting extends the known FamousSparrow victimology into a region where Azerbaijan’s role in European energy security has materially increased following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions,” the Romanian cybersecurity company said in a report shared with The Hacker News.<\/p>\n

“The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker’s ability to return is fully disrupted.”<\/p>\n

\"\"<\/p>\n

The initial access is said to have been followed by attempts to deploy web shells to establish a persistent foothold, and ultimately…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation https:\/\/thehackernews.com\/2026\/05\/azerbaijani-energy-firm-hit-by-repeated.html Publish Date: 2026-05-13 09:00:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":245157,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjOfGXVOYqF2EcrcnYIDCnTYdmWpV-uaZ5nV0_0ukZ8uCk19wFFOax_VvgwO8LtlIkVo8pvcSSBs8Afc66yo2PbiMDjq4UDqnytAqP-Nq8CqTOfEtqwuWRmjbUpRYzqaAXFnRiXozR34fXAPE8O6Gcix6f08Sped3oVUXcjIOTE04N8IInA0qVeG0Sc6LzB\/s1600\/energy-cyberattack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,35,32,34,27],"class_list":["post-245156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-hacker","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245156"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=245156"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245156\/revisions"}],"predecessor-version":[{"id":245158,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245156\/revisions\/245158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/245157"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=245156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=245156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=245156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}