Noisy Bear Launches BarrelFire Phishing Campaign Targeting Kazakhstan’s Energy Sector

ByAdmin

A threat actor, possibly of Russian origin, has been linked to a new series of attacks targeting the energy sector in Kazakhstan. This operation, codenamed Operation BarrelFire, is associated with a threat group identified by Seqrite Labs as Noisy Bear. Active since at least April 2025, the campaign specifically targets employees of KazMunaiGas (KMG). The threat actor delivers fake documents that mimic official internal communications, focusing on themes such as policy updates, internal certification procedures, and salary adjustments. Security researcher Subhajeet Singha noted that the infection chain begins with a phishing email containing a ZIP attachment. This attachment includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions in both Russian and Kazakh for running a program named “KazMunayGaz_Viewer.”

The phishing email was reportedly sent from a compromised account belonging to an individual in KMG’s finance department, targeting other employees in May 2025. The LNK file payload is designed to drop additional malicious payloads, including a batch script that facilitates the execution of a PowerShell loader known as DOWNSHELL. The attacks culminate in the deployment of a DLL-based implant, a 64-bit binary capable of executing shellcode to establish a reverse shell. Further investigation into the threat actor’s infrastructure reveals that it is hosted on the Russia-based bulletproof hosting service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for facilitating malicious activities. Concurrently, HarfangLab has connected a Belarus-aligned threat actor, known as Ghostwriter (also referred to as FrostyNeighbor or UNC1151), to campaigns targeting Ukraine and Poland since April 2025. These campaigns utilise rogue ZIP and RAR archives to gather information from compromised systems and deploy additional implants for exploitation. 

Categories: Cyber Attacks, Phishing Campaigns, Malware Deployment 

Tags: Operation BarrelFire, Noisy Bear, KazMunaiGas, Phishing Email, Windows Shortcut, PowerShell Loader, DLL-based Implant, Bulletproof Hosting, Cybersecurity, Data Exfiltration 

Leave a Reply

Your email address will not be published. Required fields are marked *