Ethical Hacking News
Noisy Bear: A New Threat Actor Targets Kazakhstan's Energy Sector
In a recent development, the threat landscape has been hit with the emergence of Noisy Bear, a new Russian-speaking threat actor linked to attacks targeting Kazakhstan's energy sector. According to Seqrite Labs, Noisy Bear has been active since at least April 2025 and its tactics are reminiscent of other high-profile threat actors like Ghostwriter and HarfangLab.
Noisy Bear, a new threat actor, has been linked to attacks targeting Kazakhstan's energy sector. Noisy Bear is believed to be a Russian-speaking group active since at least April 2025. The group launched a phishing email campaign in May 2025 aimed at KazMunaiGas employees. Attacks involved a Windows shortcut (LNK) downloader, PowerShell loader dubbed DOWNSHELL, and DLL-based implant. Noisy Bear's tactics are reminiscent of other threat actors like Ghostwriter and HarfangLab. The group is exploring alternatives to stealthy tactics in favor of continuity and development of its operations.
THN's threat landscape has recently taken a turn for the worse with the emergence of Noisy Bear, a new threat actor that has been linked to attacks targeting Kazakhstan's energy sector. According to Seqrite Labs, a threat intelligence firm, Noisy Bear is believed to be a Russian-speaking group that has been active since at least April 2025.
The first signs of activity came from a phishing email campaign aimed at KazMunaiGas employees in May 2025. The emails were sent from a compromised account and contained a ZIP attachment with a Windows shortcut (LNK) downloader, as well as a decoy document and a README.txt file. The LNK file payload was designed to drop additional payloads, including a malicious batch script that paved the way for a PowerShell loader dubbed DOWNSHELL.
Further analysis revealed that Noisy Bear's infrastructure is hosted on Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the US in July 2025 for enabling malicious activities. The attacks culminated with the deployment of a DLL-based implant, a 64-bit binary that could run shellcode to launch a reverse shell.
Noisy Bear's tactics, techniques, and procedures (TTPs) are reminiscent of other threat actors known as Ghostwriter and HarfangLab. However, the way Noisy Bear has tailored its attack vectors to target specific industries and organizations suggests a level of sophistication and expertise that is not commonly seen in threat actor communities.
The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu. This suggests that Noisy Bear is exploring alternatives to stealthy tactics in favor of continuity and development of its operations.
The emergence of Noisy Bear marks a significant shift in the threat landscape, as it highlights the growing sophistication and diversity of threat actors operating in the space. As organizations continue to navigate the complex world of cybersecurity threats, it is essential that they remain vigilant and proactive in protecting themselves against emerging threats like Noisy Bear.
Related Information:
https://www.ethicalhackingnews.com/articles/Noisy-Bear-A-New-Threat-Actor-Targets-Kazakhstans-Energy-Sector-ehn.shtml
https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html
https://undercodenews.com/cyber-storm-2025-kazakhstan-energy-sector-under-fire-amid-global-wave-of-attacks/
https://cybersecuritynews.com/researchers-detailed-the-ghostwriter-apt-infrastructure/
https://en.wikipedia.org/wiki/Ghostwriter_(hacker_group)
Published: Sat Sep 6 11:17:07 2025 by llama3.2 3B Q4_K_M
