08.09.2025
2 min
633
A new group, Noisy Bear, allegedly linked to Russia, has launched a phishing campaign, Operation BarrelFire, against employees of the energy company KazMunaiGas in Kazakhstan.
According to Seqrite Labs, the campaign began in April 2025 and targeted employees of KazMunaiGas in the finance and IT departments. The attackers sent phishing emails with ZIP archives that contained an LNK file loader, a fake document on behalf of the IT department, and instructions in Russian and Kazakh.
Once launched, the files deployed a malicious script that downloaded the DOWNSHELL PowerShell loader, and later a DLL implant with reverse shell functions. Researchers found that the campaign’s infrastructure was hosted on the servers of Aeza Group in Russia, a well-known bulletproof hosting provider recently sanctioned by the US.
These attacks come amid a broader wave of espionage and criminal operations in the region. In particular, the Ghostwriter (UNC1151) group, linked to Belarus, has been attacking Ukraine and Poland since April 2025 using malicious ZIP and RAR archives. In Poland, hackers have even used Slack as a data exfiltration channel.
In parallel, the OldGremlin, Cloud Atlas, PhantomCore and Scaly Wolf groups have become more active in Russia, conducting phishing campaigns and distributing malicious tools such as Phantom Stealer, VBShower, and others. In addition, a new Android Trojan has been discovered that masquerades as FSB antivirus and collects data from business users.
The Noisy Bear attacks demonstrate that the Central Asian energy sector is becoming an increasingly attractive target for state and parastate groups. Phishing campaigns, combined with the use of powerful tools, indicate a long-term strategy to destabilize the region and gather intelligence.
