CyberWire Daily - This Sparrow doesn't migrate. [Research Saturday]
Episode Date: June 13, 2026Martin Zugec, Technical Solutions Director at Bitdefender, discussing their work on "FamousSparrow APT Targets Azerbaijani Oil and Gas Industry." Bitdefender researchers uncovered a sustained cyber e...spionage campaign by the China-linked FamousSparrow group targeting an Azerbaijani oil and gas company, highlighting the growing focus on critical energy infrastructure in the South Caucasus. The attackers repeatedly exploited the same vulnerable Microsoft Exchange server over multiple months, deploying evolving versions of Deed RAT and Terndoor malware through sophisticated DLL sideloading techniques designed to evade detection and maintain persistence. The operation underscores FamousSparrow's adaptability and persistence, demonstrating how advanced threat actors continually refine their tooling and return to compromised environments until vulnerabilities are fully remediated and access is cut off. The research and executive brief can be found here: FamousSparrow APT Targets Azerbaijani Oil and Gas Industry Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance,
time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardesquare.com.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems and
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
As Russia is focusing more and more on Europe and the Ukraine, of course,
we are seeing a little bit of conflict between Russian and Chinese APTs.
So we pay a lot of attention to countries that are areas of interest for these two powers.
That's Martin Zujek, Technical Solutions Director at BitDeVit.
offender. The research we're discussing today is titled Famous Sparrow APT targets Azerbaijani oil and gas industry.
Well, take us through the research. What initially caught your attention here and what did you
discover? So what initially got our attention was actually old news because we found some of the malware,
Diedred, for example, Mofu, Ternor, that is associated with the famous Perro group.
But what we found out early on is that these malware samples are slightly modified compared to what is publicly known.
So that is always a sign that the part of portfolio from the APT keeps developing and keeps changing.
So we are always interested in following anytime we find new version of the known malware,
it is something that we pay a lot of attention.
So we started following the whole case, the whole incident,
and we discovered there is actually quite a lot of new stuff,
and that's how this research came together.
So it started with us finding modified version of known malware,
and then we started discovering the whole operation behind it.
Well, reading through the research, there were three waves of activity.
What changed each time?
Can you take us through what you all saw?
Yes, so exactly, there were three waves of activity,
and all of them came through the same door.
So all of them came to exchange server.
So proxy shell, proxy nutshell, we call it internally proxy hell.
as kind of all-encompassing.
Right.
It's really nothing new because we are seeing,
we've been talking about it since 2022.
More and more threat actors are focused on vulnerability exploits.
And every single year, this is becoming more obvious.
So this was one of those cases where you have one of these services
that is commonly targeted.
You don't patch it.
It's only question of time.
who and how many threat actors will get inside the same door.
So what we saw here was three separate waves of attack,
every time focusing on crox in a shell exploitation of Microsoft Exchange,
but every time using slightly different version of the malware
where they were trying to establish persistence to this environment.
We've also seen the victim in this case that this ongoing operation,
they tried to clean it up, but unfortunately they never close the antigidog that the attackers used.
So they came back with a different set of malwarks.
Who was the victim in this case?
The research mentions Azerbaijan oil and gas industry, folks.
Is that the degree to which we can identify them?
Yes, it is.
Fair enough.
What do we suppose the attackers were after here?
Is this an espionage kind of thing?
Are they looking to gain control?
Any insights there?
So in this case, it was almost certainly espionage operation.
The reason why we decided to name the country and industry
is that Azerbaijan is becoming critically important for Europe and European Union.
We documented, we didn't go too much into geopolitical implications here,
but Azerbaijan has been expanding its role as a strict.
strategic energy partner for Europe, including Germany, Austria, I believe they signed
the contracts in the last 12 months or so.
So this is definitely important energy partner for Europe.
And that's what we believe.
And again, it's pretty much always, I would say educated guests, because in cyber espionage,
you never have all the information.
So you need to make a lot of assumptions based on what you see.
And again, in this case, what we can see is that this was, in our opinion, espionage operation
specifically because how Azerbaijan is becoming more important for Europe.
I see.
The research mentions the use of DLL side loading and particular techniques with that.
Can you explain to us what that means and why the threat actors may have selected this technique?
So for me, if we put aside,
like all geopolitical implications,
the DLL side loading was the most interesting part of this research.
Now, before we get to what is new about this one,
if you don't mind, let me just briefly talk about DLL side loading in general.
Please.
So DLL side loading is defense evasion technique,
where the threat actors are actually relying on the behavior of the Windows.
operating system.
And what they are going to find is that they will use legitimate process.
And when you run that process, it's going to load the libraries where the functions are
available in the program.
And they can either replace the library with malicious library that has the same name.
That is the most common method.
And pretty much what you are going to do is that if you are defender and you are monitoring,
you are going to see, let's say, Outlook.exe,
legitimate process signed by Microsoft in this case,
and on execution it is going to load library.
That is malicious.
So that is DLLI loading.
Now, a couple of years ago,
and the last few weeks are kind of blending together,
so I cannot say when,
but we started noticing DL side loading appearing more and more.
We actually did like a detailed explainer when we first encountered it
because there was not enough information for what we were seeing.
The most important takeaway is following, in my opinion.
So when we saw DLL site loading being used as effective technique,
in a very short time, the same technique was adopted by various different APT groups.
and then by financially motivated cyber criminals.
So there was a very short time between this is new technique,
well, the technique itself is known for a long time,
but this is kind of new technique that is becoming more popular,
until the moment when this became like a commodity technique
across especially the Chinese APT ecosystem.
So there is a lot of theories behind,
one thing that we are seeing with all these advanced APD groups,
there must be, for the lack of better words,
I'm going to call it academies for teaching offensive researchers.
So what we are seeing very often is one group comes up with new approach
and very quickly, quickly all the groups from the same ecosystem
are going to adopt that technique.
Why it matters is that any...
Anytime we discover new advanced version of, for example, of the DLR side loading,
even if we found it in specific country, in this case Azerbaijan,
it's really critical to pay attention because you are going to see the same technique
used by other APT groups in the next few months, essentially.
So that is why even though the research is specifically focused on oil and gas industry in Azerbaijan,
this specific technique is really critical
because, again, we believe this will be adopted
by multiple groups with different workloads
in the next few months.
We'll be right back.
Most environments trust far more than they should,
and attackers know it.
Threat Locker solves that by enforcing default deny
at the point of execution.
With Threat Locker Allow listing,
you stop unknown executables cold.
With ring fencing, you control
how trusted applications behavior,
And with Threat Locker, DAC, defense against configurations, you get real assurance that your
environment is free of misconfigurations and clear visibility into whether you meet
compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
This spring, denim gets a softer, lighter update.
Introducing Old Navy's drapey denim wide leg, a new fit that moves with you.
It's everything you want denim to feel like for summer.
easy, breathable, and effortlessly cool.
With a fit that creates natural movement and a wide leg that feels modern, not overwhelming.
Plus, that signature, wait, for this price, moment.
Old Navy's drapy denim wide leg.
So that is kind of a high level, a little bit of history and why this matters.
Now, I can tell you what was new and different about the DLL side loading in this case, maybe?
Yeah, please.
So typically, as I mentioned, the way how DLL side loading works is you have legitimate process, legitimate executable.
When you execute it, it's going to locate library that have been replaced.
It's going to load that library and execute malicious code inside.
We have a lot of detection technology that is already looking at this, looking at unusual locations,
and this behavior.
What was advanced in this case
is that the malicious code itself
is not initialized
when the library is loaded.
Instead, there were multiple sub-gid steps
and when they all work together,
only then malicious code is executed.
So when the host executable
is going to be executed in this case,
it's going to load malicious DLL.
And it's going to trigger one
the functions. The functions in this malicious library is just going to patch one of APIs in
memory to create hook. It is not going to execute anything malicious and then it's going to stop
working. Going back to that legitimate process that loaded this library and executed one of the
functions, it will continue with execution until it comes to the moment in the
execution when it's going to call another function from the same library.
And it is the second function that is going to pretty much execute the loader from the API
and restore the payload and execute it.
So what this means is that typically the detection that we are seeing in these malicious libraries,
they are typically looking, hey, am I running in the sandbox?
Is this virtual environment?
there is a load of logic like this.
In this case, this is not needed because this advanced dL side loading
is completely hidden from security sandboxes.
So if the sandbox is going to execute it,
it is most probably, in most cases, just going to say,
hey, all of this is completely clean.
I haven't seen anything suspicious.
And that's because it's happening in multiple stages?
Yes.
And you need to execute.
stages in specific order. So for example, if you will have a look at this library, try to
analyze what are exported functions, which functions are available to you, and then you will
try to execute those functions one by one, there is not going to be any malicious behavior.
You need to execute those functions kind of in the same session and in specific order, and
only then it becomes malicious.
So for any kind of analysis, this is actually going to be really hard to observe.
I remember when we were working on this research, I immediately went, okay, let me have a look at virus total.
And this was like completely undetected by all the engines.
Now, the research mentions deployment of a couple of backdoor families.
You've got deed rat and turn door.
What part do they play in all this?
Yes, so there were a couple of different backdoors that they've used.
And pretty much all of this was for the threat actors after initial access, again, same door every single time.
They were just trying to use some of these backdoors that are well known to us.
The only thing that was interesting for us is that there were slight modifications between them.
Some bits have been changed.
So again, for us, this is kind of the proof.
the toolkit itself continues being actively developed and modified.
What are the opportunities for detection here? If I'm a defender, what should I be looking for?
So we shared, as we always do, the complete list of IOCs is publicly available,
which we are doing every single time. My recommendation, the reason why we share this
is also giving opportunities for other security companies to test out this
new technique of DLL side loading and making sure that their technology is able to recognize
and detect when this is happening. Typically with DLL side loading attacks, it is a combination
of legitimate executable with malicious DLL. We documented which executable was used in this case.
But as I mentioned before, DLL side loading, it is not vulnerability of specific executable. It is
legitimate behavior of Windows operating system that are the threat actors abusing.
So again, like, we are pretty sure that we are not only going to see the same technique used by different groups,
but we are also going to see different executables that are vulnerable to the same execution flow.
You mentioned that the victim organization had discovered some things and had efforts to remove the malware,
but ultimately they were not successful.
Why did they come up short?
So that is something that I have very strong opinions about again.
We have been documenting for many years,
how the threat actors again are very actively looking for internet-facing services and abusing them.
And we are still seeing organizations,
are very slow in patching,
and they still don't understand how the time to exploit
is shortening dramatically.
So there is a lot, a lot of reports and numbers related
to how quickly are these new vulnerabilities weaponized.
Typically, last year, we've been talking
when there is new vulnerability and POC is available,
you have less than 24 hours before weaponization is industrialized,
is what I would call.
So again, this is another example of a tag that we've seen many and many and many times over the last few weeks.
We did have interesting research 24 or 2025, where one of this exposed Internet-facing services was compromised as well.
And the customer haven't patched this for a month, which like a few years ago leaving something unpatched for a month
was not considered such a big deal.
But for example, what we've seen with this victim,
again, from different research,
was that within a month after the vulnerability was announced,
so pretty much like 24 hours after vulnerability was discovered,
we started seeing attacks.
One month later, we have seen 70 different threat actors
occupying the same machine in the MZ.
So, again, whether you are looking at ransomware groups, initial access brokers, APTs,
for all of them, any internet-facing service,
any vulnerability that leads to remote code execution,
is immediately like a huge target that they will start focusing on.
What are ultimately the takeaways here,
based on the information you all have gathered and shared,
what do you hope people come away with?
So one of the key takeaways here should be
it is important to pay attention to research
even if it is not in your geo.
So as I mentioned before,
we actually spent quite a lot of time discussing
how to address something like this
because it is oil and gas,
it's in Azerbaijan.
John. And at the same time, we believe everyone should pay attention to this research because
it is talking about technique that is going to be used everywhere very soon. So again, one of the
takeaways should be understand how APT groups are working together, how they are sharing the
knowledge. And this is different for different countries. I would say they have different approach
to this. But again, for example, with Chinese APTs, what we are seeing is anytime
time one of the groups come up with new or improved technique, all of them are going to adopt it
real quick.
Our thanks to Martin Zujek from Bit Defender for joining us. The research is titled
Famous Sparrow APT targets Azerbaijani oil and gas industry. We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire. We'd love to know what you think
of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead and the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibn.
Peter Kilfey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Are you one of those media strategy people clicking through slides, scrolling spreadsheets?
Yes? Good. This is for you. Because on Spotify, there's an audience that's different. Locked in. Loyal, invested. They're called fans.
Fans don't just listen to music. They feel seen by it, like it belongs to them. So when your brand shows up on Spotify, that's who you're talking to. And you're right next to artists like me, Lizzo. So, are you ready to talk to fans? Spotify advertising. You're a month.
fans.