Summary

A Chinese-affiliated threat actor, FamousSparrow, has been linked to multiple cyber intrusions targeting an Azerbaijani oil and gas company. The attacks occurred from late December 2025 to late February 2026, exploiting vulnerabilities in Microsoft Exchange.

Key Points

• The threat actor is associated with China and identified as FamousSparrow (UAT-9244).
• The attacks targeted an unnamed Azerbaijani oil and gas company.
• The intrusion campaign spanned from late December 2025 to late February 2026.
• Bitdefender attributed the activity to FamousSparrow with moderate-to-high confidence.
• The attack involved exploiting Microsoft Exchange vulnerabilities.

Analysis

This incident highlights the persistent threat posed by state-affiliated hacking groups targeting critical infrastructure sectors. The use of Microsoft Exchange vulnerabilities underscores the importance of timely patch management and monitoring for unusual activity. The involvement of a known group like FamousSparrow suggests a strategic interest in energy sector data, likely for geopolitical or economic intelligence.

Conclusion

IT professionals should prioritize patching Microsoft Exchange servers and implement robust monitoring to detect unusual access patterns. Awareness of state-affiliated threat actors and their tactics is crucial for strengthening defenses against similar intrusions.