China-linked hackers exploit Exchange

A China-linked espionage group called FamousSparrow used an exposed on-premises Microsoft Exchange server to break into an unnamed Azerbaijani oil and gas company, according to research published by Bitdefender on May 13. Bitdefender said it attributed the activity to FamousSparrow with “moderate-to-high confidence” and tracked the intrusion from late December 2025 through late February 2026. (bitdefender.com) The entry point matters. Microsoft has described Exchange Server as a business-critical “crown jewel” and said ProxyNotShell bugs continued to be exploited long after fixes were issued. Microsoft’s guidance on the 2022 flaws says ProxyNotShell combined CVE-2022-41040, a server-side request forgery issue, with CVE-2022-41082, a remote code execution flaw reachable when PowerShell was exposed to an authenticated attacker. (microsoft.com) Bitdefender’s account says the attackers did not just get in once. The company said the same Exchange access path was reused across three waves, with the operators returning after remediation attempts and changing payloads as they went. SC Media, citing The Hacker News, said the first deployment was Deed RAT on Dec. 25, 2025, followed by TernDoor in late January or early February 2026, and then a modified Deed RAT in late February 2026. (bitdefender.com) That repeat access is the clearest fact in the case. Bitdefender said the operation showed attackers will “exploit and re-exploit the same access path” until the vulnerability is patched, credentials are rotated and return paths are closed. Microsoft separately said successful Exchange compromises have enabled web-shell deployment, lateral movement and data theft while evading detection for extended periods. (bitdefender.com) The malware mix also stands out. Bitdefender said the campaign used two backdoor families — Deed RAT and Terndoor — across three separate waves and included an evolved DLL sideloading method rather than a simple file swap. SC Media reported that one variant used the legitimate LogMeIn Hamachi binary in the sideloading chain. (bitdefender.com) The victim was not publicly named. Bitdefender identified it only as an Azerbaijani oil and gas company, and said the case extended FamousSparrow’s previously reported targeting into South Caucasus energy infrastructure. The company said prior public reporting had linked the group to telecom, government and technology targets across the United States, Asia-Pacific, the Middle East and South Africa. (bitdefender.com) The broader lesson is about trust anchors inside enterprise networks. Exchange often sits close to identity, administration and internal communications, which is why a single unpatched server can become a launch point for persistence and movement. CISA said in a September 2025 advisory that China state-sponsored actors use compromised devices and trusted connections to pivot into other networks and maintain long-term access. (cisa.gov) For defenders, the reporting points to a response sequence rather than a single fix. Microsoft says affected Exchange systems should be fully updated, while Bitdefender’s findings indicate that patching alone is not enough after an intrusion if credentials, web shells or other footholds remain. The Bitdefender report published May 13, 2026, is the primary source for the technical timeline and malware details in this case. (microsoft.com)