Bitdefender has uncovered a sophisticated cyber-espionage campaign linked to the China-aligned threat group FamousSparrow, marking a significant escalation into the global energy sector and exposing critical infrastructure risks at a time of heightened geopolitical instability.

The research details a multi-wave intrusion targeting an Azerbaijani oil and gas company between December 2025 and late February 2026. The operation signals a strategic shift, extending FamousSparrow’s known activity beyond telecoms, government, and technology sectors into energy infrastructure in the South Caucasus, a region now central to European energy security. This development comes at a critical moment. Azerbaijan’s role as a key energy supplier to Europe has expanded sharply following the expiration of Russia’s Ukraine gas transit agreement and ongoing disruptions in the Strait of Hormuz, which have constrained global energy flows.

Against this backdrop, cyber targeting of energy infrastructure introduces a new layer of risk to already fragile supply chains, while global energy systems undergo rapid transformation. As Europe diversifies supply and Asia accelerates investment in LNG and renewable infrastructure, the underlying systems managing energy production and distribution are becoming more complex and digitally dependent. This shift is expanding the attack surface, often faster than organisations can secure it, creating new opportunities for threat actors to exploit gaps during periods of transition.

Bitdefender’s investigation reveals a sustained and highly adaptive campaign. Attackers exploited vulnerabilities in a Microsoft Exchange server to establish initial access, returning repeatedly over a two-month period despite remediation efforts. Across three distinct waves, they deployed multiple backdoor families, including Deed RAT and Terndoor, demonstrating persistence and operational discipline more consistent with long-term espionage than opportunistic attacks.

A key technical finding is the evolution of the Deed RAT malware. Bitdefender researchers identified a novel DLL sideloading technique that delays malicious execution until legitimate application processes are fully underway. This “execution gating” approach allows the malware to evade traditional detection tools, highlighting a broader trend toward stealthier, more resilient attack methods.

The research also underscores a critical defensive gap. The attackers repeatedly re-entered the environment through the same initial access point, even after remediation efforts. This reflects a broader pattern in advanced threat activity: attackers no longer need new vulnerabilities, they exploit incomplete remediation and return through the same door.

Beyond the technical details, the broader implication is strategic. This is the first documented instance of FamousSparrow targeting energy infrastructure in the South Caucasus, expanding the known geographic and sectoral footprint of China-linked advanced persistent threat activity to broader economic pressure points. The convergence of cyber-espionage and energy geopolitics raises the stakes. As global energy systems become more interconnected and contested, cyber operations are emerging as a parallel vector for influence, intelligence gathering, and potential disruption.

Bitdefender advises organisations operating critical infrastructure to prioritise patching of internet-facing systems, implement continuous monitoring for anomalous activity, and adopt a breach-assumption mindset that focuses on rapid detection and response.

The full research report is available HERE.