Kazakhstan Energy Sector Phishing Test Mistaken for Noisy Bear Campaign
Summary
Hide ▲
Show ▼
A phishing campaign targeting KazMunayGas employees was initially attributed to the Noisy Bear threat actor. The activity, codenamed Operation BarrelFire, involved phishing emails with malicious attachments designed to deliver a reverse shell. However, KazMunayGas clarified that the campaign was a planned phishing test conducted in May 2025. The campaign utilized a compromised email address from KazMunayGas's finance department to send phishing emails containing a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file. The payloads included a batch script and a PowerShell loader named DOWNSHELL, culminating in the deployment of a DLL-based implant. The infrastructure was hosted on the Russia-based bulletproof hosting service Aeza Group, which was sanctioned by the U.S. in July 2025. The campaign was initially linked to a new threat group tracked by Seqrite Labs as Noisy Bear, active since at least April 2025. Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks. The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.
Timeline
-
06.09.2025 18:13 2 articles · 23d ago
KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign
The phishing emails impersonated mundane company business, such as reviewing work schedules, incentive systems, and wages. The LNK file payload included a batch script that retrieved the PowerShell loader, DownShell, which undermined the Windows Antimalware Scan Interface (AMSI). The DownShell loader used CreateRemoteThread Injection to hijack a normal Windows process and establish a reverse shell for the attackers. Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks. The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.
Show sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
Information Snippets
-
The phishing campaign, codenamed Operation BarrelFire, targeted KazMunayGas employees with fake documents related to internal communications and salary adjustments.
First reported: 06.09.2025 18:132 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The infection chain began with a phishing email containing a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file.
First reported: 06.09.2025 18:132 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The LNK file payload dropped additional payloads, including a malicious batch script and a PowerShell loader named DOWNSHELL, culminating in a DLL-based implant.
First reported: 06.09.2025 18:132 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The threat actor's infrastructure was hosted on the Russia-based bulletproof hosting service Aeza Group, sanctioned by the U.S. in July 2025.
First reported: 06.09.2025 18:132 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The campaign was initially attributed to a new threat group tracked by Seqrite Labs as Noisy Bear, active since at least April 2025.
First reported: 06.09.2025 18:132 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
KazMunayGas clarified that the campaign was a planned phishing test conducted in May 2025.
First reported: 06.09.2025 18:131 source, 1 articleShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test — thehackernews.com — 06.09.2025 18:13
-
The phishing emails impersonated mundane company business, such as reviewing work schedules, incentive systems, and wages.
First reported: 11.09.2025 15:001 source, 1 articleShow sources
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The LNK file payload included a batch script that retrieved the PowerShell loader, DownShell, which undermined the Windows Antimalware Scan Interface (AMSI).
First reported: 11.09.2025 15:001 source, 1 articleShow sources
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The DownShell loader used CreateRemoteThread Injection to hijack a normal Windows process and establish a reverse shell for the attackers.
First reported: 11.09.2025 15:001 source, 1 articleShow sources
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks.
First reported: 11.09.2025 15:001 source, 1 articleShow sources
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
-
The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.
First reported: 11.09.2025 15:001 source, 1 articleShow sources
- Russian APT Attacks Kazakhstan's Largest Oil Company — www.darkreading.com — 11.09.2025 15:00
Similar Happenings
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
EggStreme Fileless Malware Used in Philippine Military Breach
A Chinese APT group has breached a Philippine military company using a previously undocumented fileless malware framework called EggStreme. The malware framework facilitates persistent, low-profile espionage through memory injection and DLL sideloading. The attack began in early 2024 and includes extensive system reconnaissance, lateral movement, and data theft. The EggStreme framework comprises multiple components: EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, and EggStremeAgent. The core component, EggStremeAgent, acts as a backdoor enabling system reconnaissance, lateral movement, and data theft via an injected keylogger. The attack aligns with Chinese APT objectives, targeting the Philippines amid geopolitical tensions in the South China Sea.
APT41 targets U.S. trade officials with phishing campaigns amid negotiations
APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.
Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns
Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.
SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations
A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious EarthTime executable, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file disguised as DeskSoft’s EarthTime application, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.