Noisy Bear Targets Kazakhstan Energy Sector With BarrelFire Phishing Campaign

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.

The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.

“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”

The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.

The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.

“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”

Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.

The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.

At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.

“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia

The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.

The intrusions, per Kaspersky, involved the use of the bring your own vulnera…

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.