Bitdefender finds FamousSparrow energy sector campaign

Bitdefender has identified a cyber-espionage campaign by the China-linked group FamousSparrow targeting an oil and gas company in Azerbaijan, in what it describes as the group's first documented move into energy infrastructure in the South Caucasus.

The intrusion unfolded in multiple waves between December 2025 and late February 2026. According to Bitdefender's research, the attackers exploited vulnerabilities in a Microsoft Exchange server to gain initial access, then repeatedly returned over roughly two months despite remediation efforts.

The findings suggest a shift in FamousSparrow's known targeting. The group has previously been linked to operations against telecoms, government and technology organisations, but the Azerbaijan case points to a move into energy as supply chains come under strain and networks become more digitised.

Azerbaijan has taken on a larger role in supplying energy to Europe, increasing the strategic importance of infrastructure in the South Caucasus. Against that backdrop, any attempt to access systems linked to oil and gas production and distribution carries added significance.

How it unfolded

The operation showed a level of persistence more commonly associated with long-term intelligence gathering than opportunistic cyber crime. Across three waves, the attackers deployed several backdoor families, including Deed RAT and Terndoor.

One notable element was an updated method tied to Deed RAT. Researchers identified a DLL sideloading technique that delays malicious execution until a legitimate application process is already running, a tactic intended to reduce the chance of detection by security tools.

The attackers also showed they could return through the same point of entry after defenders had tried to remove them. Bitdefender said this reflects a broader problem for operators of critical systems: incomplete remediation can leave the original route open even after an incident appears contained.

Infrastructure risk

The case is likely to draw attention beyond the Caucasus because energy systems in other regions face similar technical exposure. Utilities, pipeline operators and energy producers rely on increasingly interconnected digital environments, while many still depend on internet-facing systems that can create openings for intrusion if patching and monitoring fall behind.

That concern extends to Asia-Pacific markets, where governments and companies are investing heavily in liquefied natural gas, renewable generation, and more automated grid and industrial systems. As those networks grow more complex, cybersecurity specialists have warned that the attack surface can expand faster than defensive processes mature.

In that context, the Azerbaijan intrusion offers another example of how geopolitical and industrial targets can overlap in cyberspace. Access to an energy company's systems may serve intelligence-gathering purposes, but it can also expose operational data, internal communications and network layouts that would be sensitive during any period of regional tension.

The report stops short of claiming any disruption to energy flows, but frames the campaign as a sign that state-linked threat groups are broadening their focus to economic infrastructure with wider geopolitical importance. For companies in energy supply chains, that increases pressure to strengthen both prevention and incident response.

Repeat access

One of the clearest findings was the attackers' repeated re-entry. Rather than finding a new weakness each time, the group was able to return through the same initial access path, suggesting patching or follow-up controls did not fully close the gap.

That matters because many organisations still treat remediation as a one-off technical fix rather than a broader review of exposure, credentials, persistence mechanisms and monitoring. Security teams often need to determine not only how attackers got in, but also what else changed while they were inside the network.

Bitdefender said operators of critical infrastructure should prioritise patching internet-facing systems, maintain continuous monitoring for unusual activity and assume a breach may already have occurred when investigating suspicious events. Its findings underline how a single exposed service can become the basis for a sustained campaign if follow-up action is incomplete.