China-linked FamousSparrow APT has targeted an Azerbaijani oil and gas company with repeated cyberattacks spanning late December 2025 through late February 2026, according to research published by Bitdefender Labs. The multi-wave intrusion represents a significant geographic and sectoral expansion for the threat actor, which has historically focused on hospitality, government, and telecommunications infrastructure across North America, Asia-Pacific, and the Middle East.
According to ESET Research, FamousSparrow is a Chinese cyberespionage group active since at least 2019, known for rapid exploitation of disclosed vulnerabilities and use of the SparrowDoor backdoor—a tool exclusively deployed by this threat cluster. The group gained notoriety in March 2021 when it exploited the ProxyLogon vulnerability in Microsoft Exchange servers just one day after Microsoft disclosed the flaw. ESET researchers had tracked no publicly documented FamousSparrow activity between 2022 and early 2025, but recent investigations revealed the group remained active during the gap, developing upgraded tooling including two previously undocumented versions of SparrowDoor featuring improved code quality, modular architecture, and command parallelization.
The latest variants of SparrowDoor represent marked technical progress, with one variant resembling the CrowDoor backdoor attributed to the Earth Estries APT cluster by Trend Micro. FamousSparrow also deployed ShadowPad, a privately sold backdoor known to be supplied exclusively to China-aligned threat actors—marking the first documented use of this tool by FamousSparrow. Bitdefender attributed the intrusion to FamousSparrow with moderate-to-high confidence, noting the actor’s willingness to exploit and re-exploit the same access paths repeatedly until underlying vulnerabilities are patched and compromised credentials are rotated.
The targeting of Azerbaijani energy infrastructure reflects a notable shift in Chinese espionage priorities. Azerbaijan’s strategic importance to European energy security increased materially following the expiration of Russia’s Ukraine gas-transit agreement in 2024 and disruptions in the Strait of Hormuz in early 2026. Bitdefender observed that Chinese APT activity is now visible moving westward into the South Caucasus region, signaling expanded focus on energy infrastructure in regions of geopolitical importance.
The expansion into the energy sector complements reports of FamousSparrow activity targeting South American telecommunications networks under the related moniker UAT-9244 since 2024. Cisco Talos tracks this cluster as using TernDoor, PeerTime, and BruteEntry malware against critical telecom infrastructure. Defenders at energy firms, particularly in strategically sensitive regions, should assume elevated risk from Chinese cyberespionage groups and prioritize patch management, credential hygiene, network segmentation, and threat hunting for SparrowDoor, ShadowPad, and related implants.