China's 'FamousSparrow' APT Targets Azerbaijan Energy Firm in First Known China-Aligned Cyber Espionage in South of the Caucasus
China-linked APT group FamousSparrow has breached an Azerbaijanian oil-and-gas company, marking the first known China-aligned cyber espionage in the South Caucasus region.
China-linked APT group FamousSparrow has breached an Azerbaijanian oil-and-gas company in the South Caucasus region, marking the first known China-aligned cyber espionage operation in Azerbaijan, according to research published by Bitdefender published today. The attack, which ran from late December to late February, used a novel two-stage DLL sideloading technique to evade sandbox detection and deploy the Deed RAT remote access tool. Operational technology networks were not compromised, but the incident signals a geographic expansion of Chinese cyber operations into a region traditionally dominated by Russian intelligence activity.
The South Caucasus corridor — comprising Armenia, Azerbaijan, and Georgia — has become an increasingly important energy artery for the European Union, serving 16 nations with gas exports that have grown 56% over the past five years. Russia has historically used cyber espionage and attacks to exert influence in the region, particularly around its 2008 invasion of northern Georgia. Bitdefender's findings suggest China is now following the economic ripples, targeting countries where it has not always taken an interest.
FamousSparrow's technique in this campaign involved a two-stage DLL sideloading mechanism that gates the payload behind a specific execution path. The malicious library prepares the staging and payload but does not execute it until the legitimate executable follows an expected sequence of instructions, making analysis and sandbox detection significantly more difficult. "If you analyze all the pieces on its own, you can't see anything, they don't have any malicious behavior individually," said Martin Zugec, technical solutions director at Bitdefender.
The group, first detected in 2021 by ESET, has previously targeted hotels, government agencies, and financial organizations in North America, Europe, South America, and the Middle East. While some researchers have posited that FamousSparrow and the infamous Salt Typhoon are the same group, ESET malware researcher Alexandre Côté Cyr said in a recent analysis that FamousSparrow appears to be its own distinct cluster with loose links to others, possibly through a shared third-party tool sharing.
The initial access vector in this case was a vulnerable Microsoft Exchange server that was not patched after the first detection. The unnamed oil-and-gas company detected the attack on specific workstations and cleaned those systems, but the underlying vulnerability remained, allowing FamousSparrow to return for two subsequent attacks. "This attack could be prevented if the victim would follow the basic security best practices that we've been teaching for many, many years," Zugec said. "This is really good example of if you don't fix the underlying problem, they will come back."
The incident underscores a broader trend of Chinese APTs pushing into Russia's traditional sphere of influence, leveraging a centralized knowledge base of tools and techniques that propagate across groups. Bitdefender observed that once a tool or technique appears in one Chinese state-sponsored attack, it often spreads to others. The attack also highlights the persistent risk posed by unpatched internet-facing servers, even after an initial compromise is cleaned.