Between December 2025 and February 2026, a Chinese-associated threat actor repeatedly exploited a Microsoft Exchange vulnerability to infiltrate a major Azerbaijani energy company, deploying multiple backdoors and demonstrating advanced persistence and evasion techniques.
- Repeated exploitation of ProxyNotShell in Microsoft Exchange servers over three months
- Deployment of advanced backdoors with evolving malware and DLL side-loading evasion
- Targeting energy sector infrastructure critical to European and regional energy supply
Threat signal
This prolonged campaign represents a highly persistent intrusion initiated through the ProxyNotShell vulnerability in Microsoft Exchange servers, first exploited in December 2025. The attacker deployed multiple backdoors, rotating malware families such as Deed RAT and TernDoor to maintain and escalate access across successive waves of activity. The use of evolving DLL side-loading techniques leveraging legitimate binaries showcases increased sophistication aimed at evading detection and defense mechanisms.
The attackers' repeated return to the same initial access vector, despite remediation attempts, indicates that mere patching without credential rotation and thorough environment validation leaves organizations vulnerable to re-exploitation. The adaptive nature of the operation reflects a high level of operational discipline typical of state-affiliated espionage groups, emphasizing the necessity for continuous monitoring beyond initial incident response.
Operator exposure
Energy sector operators, particularly those running Microsoft Exchange environments, face critical exposure from vulnerabilities like ProxyNotShell that allow remote code execution and persistent foothold establishment. The Azerbaijani firm targeted holds strategic importance due to its role in European energy security, making this incident especially relevant for operators within energy supply chains dependent on regional infrastructure.
The attack progression further underscores the risk of lateral movement within compromised networks coupled with redundant footholds to ensure resilience against remediation. Operators need to recognize that patch application alone is insufficient if compromised credentials or backdoors remain active, exposing the entire network and critical process controls at risk of espionage or disruption.
What teams should watch
Security teams should prioritize comprehensive endpoint and network monitoring for indicators of ProxyNotShell exploitation and anomalous DLL side-loading activity, particularly involving legitimate utilities like LogMeIn Hamachi used for payload execution. Detection strategies should emphasize identifying multi-stage execution flows and suspicious network patterns related to command-and-control infrastructure aligned with observed tactics.
Additionally, incident response should not only focus on immediate patching but also involve credential rotation, forensic audits for residual malware or backdoors, and validation that attacker persistence has been fully disrupted. Cross-functional collaboration between IT, security operations, and asset owners in the energy sector is critical to swiftly identify, contain, and recover from such sophisticated intrusion attempts.