Ethical Hacking News
Noisy Bear Campaign: A New Threat Actor Targets Kazakhstan's Energy Sector
A new threat actor has been linked to a series of attacks targeting the energy sector in Kazakhstan, highlighting the growing threat landscape in the region. The Noisy Bear campaign is believed to be conducted by a group possibly of Russian origin and delivers fake documents and malware to compromise systems. As organizations and individuals seek to protect themselves against such threats, it's essential to stay informed about the latest developments and best practices for mitigating cyber threats.
A new threat actor, Noisy Bear, has been linked to a series of attacks targeting the energy sector in Kazakhstan. The campaign, Operation BarrelFire, is believed to be conducted by a group possibly of Russian origin. Threat actor delivered fake documents related to KazMunaiGas IT department via phishing emails. Infection chain begins with phishing email containing ZIP attachment and LNK file payload. Threat actor's infrastructure hosted on Russia-based Aeza Group, sanctioned by the US for enabling malicious activities. New Android malware masquerades as FSB antivirus tool to exfiltrate data from messenger and browser apps. KazMunayGas dismissed Seqrite's report about a new cyber espionage group targeting its employees as a planned phishing test.
A new threat actor, dubbed Noisy Bear by Seqrite Labs, has been linked to a series of attacks targeting the energy sector in Kazakhstan. The campaign, codenamed Operation BarrelFire, is believed to be conducted by a group possibly of Russian origin.
According to security researcher Subhajeet Singha, the threat actor delivered fake documents related to the KazMunaiGas IT department, mimicking official internal communication, and leveraging themes such as policy updates, internal certification procedures, and salary adjustments. The emails were sent from a compromised email address in the finance department of KazMunaiGas and targeted other employees.
The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer". The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL.
Further analysis of the threat actor's infrastructure has revealed that it's hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities. The development comes amid concerns about Russian organizations being targeted by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf.
Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia's Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB.
The malware exfiltrates data from messenger and browser apps, streams from the phone's camera, and logs keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests running in the background, device administrator rights, and accessibility services.
In a recent development, Kazakhstan's state-owned oil and gas company KazMunayGas has dismissed Seqrite's report about a new cyber espionage group targeting its employees as a planned phishing test. The company stated that the screenshots described in the analysis were part of a phishing training test conducted back in May 2025.
The Noisy Bear campaign is just one example of the growing threat landscape in the region, where Russian-speaking groups are increasingly targeting companies and organizations with sophisticated attacks.
These attacks highlight the need for increased vigilance and awareness among organizations and individuals to protect against such threats. As the threat landscape continues to evolve, it's essential to stay informed about the latest developments and best practices for mitigating cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Noisy-Bear-Campaign-A-New-Threat-Actor-Targets-Kazakhstans-Energy-Sector-ehn.shtml
https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html
https://infosectoday.com/malware-deployment/noisy-bear-focuses-on-kazakhstans-energy-industry-with-barrelfire-phishing-initiative/
Published: Mon Sep 8 13:18:11 2025 by llama3.2 3B Q4_K_M
