China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm - Dark Reading

CYBERATTACKS & DATA BREACHES CYBER RISK CYBERSECURITY OPERATIONS ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm The cyberthreat group targets an Azerbaijani oil and gas firm with repeated attacks, as the China-linked actors extend targeting beyond hospitality, telecom, and government sectors. Robert Lemos,Contributing Writer May 13, 2026 5 Min Read SOURCE: ALEN THIEN VIA SHUTTERSTOCK As oil-and-gas supplies have become increasingly disrupted in the Middle East and Eastern Europe, Russia- and China-linked cyber espionage groups have followed the economic ripples, targeting countries in which they have not always taken an interest. In the latest example, the China-linked FamousSparrow group has targeted an Azerbaijanian oil-and-gas company in the South Caucasus region, which sits between Iran, Turkey, and Russia, according to research published by cybersecurity firm Bitdefender today. The group used a unique sideloading technique for dynamic link libraries (DLLs) that allowed them to evade some defenses and install remote access tools, the firm stated. The operational technology (OT) networks were not affected. While Russian cyberthreat groups have targeted companies in the region, this is the first time that China-linked groups have been discovered in Azerbaijanian industries, says Martin Zugec, technical solutions director at Bitdefender. Related:Middle East Cyber Battle Field Broadens — Especially in UAE "This definitely looks like a targeted attack based on everything we've seen," he says. "China-aligned APTs are pushing at Russia's traditional sphere of influence, whereas before, it was staying away from it." The South Caucasus region — comprising Armenia, Azerbaijan, and Georgia — has become an increasingly important energy corridor for the European Union, serving 16 nations with gas exports that have grown 56% over the past five years. Russia has typically taken a geopolitical interest in the region, often turning to cyber espionage and cyberattacks as a way to exert influence, especially around its 2008 invasion of northern Georgia. The latest research suggests that China has begun to focus on South Caucasus with its own cyber operations. Is FamousSparrow Flocking With Salt Typhoon? The FamousSparrow operations in Azerbaijan appear to have started in late December, and lasted until the end of February, according to Bitdefender's research. The tools discovered in the attack have shown signs of improvement, including the addition of a two-stage mechanism for sideloading malware using DLLs, and modifications to the Deed RAT remote access tool. The DLL side-loading changes gates the payload behind a specific execution path, allowing it to run only if the application follows an expected sequence of instruction — which makes analysis and sandbox detection more difficult, the researchers stated in the analysis.   FamousSparrow has targeted firms across the globe, but Azerbaijan marks a new front. Source: Bitdefender "The malicious library will just prepare the staging and the payload, and not execute it, and as the legitimate executable is going through the process of execution, all the little pieces of the puzzle are being put in place, and then suddenly it becomes malicious," Bitdefender's Zugec says. "If you analyze all the pieces on its own, you can't see anything, they don't have any malicious behavior individually." Related:Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia First detected in 2021 by cybersecurity firm ESET, FamousSparrow has targeted hotels, government agencies, and financial organizations in North America, Europe, South America, and the Middle East. Azerbaijan appears to be a new focus, Zugec says. While other researchers have posited that FamousSparrow and the infamous Salt Typhoon are the same group, or significantly overlapping groups, there is not enough information to link the two, Alexandre Côté Cyr, a malware researcher with ESET, said in a recent analysis of FamousSparrow. Microsoft originally named Salt Typhoon, and has not released indicators of compromise that would help others to determine whether they are analyzing the same group, he says. "FamousSparrow appears to be its own distinct cluster with loose links to the others," such as Salt Typhoon (which many also link to Earth Estries) and GhostEmperor, Côté Cyr says. "We believe those links are better explained by positing the existence of a shared third party, such as a digital quartermaster, than by conflating all of these disparate clusters of activity into one." Related:Chinese APT Targets Indian Banks, Korean Policy Circles China's Central Armory of APT Tools & Malware? A central repository of knowledge for Chinese threat groups would also explain Bitdefender's observation that once a tool or technique appears in one attack by a Chinese state-sponsored actor, it often appears to propagate out to other groups linked to China. "One thing that you can see across all of these groups is that if one of them comes up with new technique, then probably all of them will start copying it," Bitdefender's Zugec says. "With Chinese APTs we are seeing that there is some kind of centralized knowledge about what works and what doesn't." Some companies have allowed them to build on that knowledge through poor cyber hygeine. In the latest case, the unnamed oil-and-gas company detected the attack on specific workstations and cleaned those systems, but the initial access vector — a vulnerable Microsoft Exchange server — was not fixed. FamousSparrow swooped in for two subsequent attacks as a result. Doing a full incident analysis and patching vulnerable systems could go a long way to keeping out the attackers, Bitdefender's Zugec says. "This attack could be prevented if the victim would follow the basic security best practices that we've been teaching for many, many years," he says. "This is really good example of if you don't fix the underlying problem, they will come back." Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! Read more about: DR Global Middle East & Africa About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS