Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign
Summary
Hide β²
Show βΌ
Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.
Timeline
-
11.09.2025 15:00 π° 1 articles
Detailed Analysis of Noisy Bear's Attack Chain and Geopolitical Implications
The article provides a detailed analysis of the phishing emails sent by Noisy Bear, including the use of a compromised internal email address and the content of the phishing emails. The malware used, DownShell, consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. The article also highlights the geopolitical implications of the attack, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The article confirms the initial misinterpretation of the phishing test as a cyber espionage campaign and provides additional details on the threat actor's tactics and techniques.
Show sources
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
06.09.2025 18:13 π° 1 articles
Kazakhstan's KazMunayGas Phishing Test Misinterpreted as Cyber Espionage Campaign
In May 2025, KazMunayGas conducted a phishing test to train employees on identifying and responding to phishing attempts. The test involved sending phishing emails from a compromised internal email address with a ZIP attachment containing a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The phishing emails mimicked official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was initially misinterpreted as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant.
Show sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
Information Snippets
-
KazMunayGas conducted a phishing test in May 2025 to train employees on identifying and responding to phishing attempts.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The phishing test involved sending emails from a compromised internal email address with a ZIP attachment containing a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The phishing emails mimicked official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The phishing test was initially misinterpreted as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The threat actor was believed to be of Russian origin and had been active since at least April 2025.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
-
The phishing test was conducted to train employees on identifying and responding to phishing attempts.
First reported: 06.09.2025 18:13π° 2 sources, 2 articlesShow sources
- Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test β thehackernews.com β 06.09.2025 18:13
- Russian APT Attacks Kazakhstan's Largest Oil Company β www.darkreading.com β 11.09.2025 15:00
Similar Happenings
APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign
The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
Threat Actor Linked to Play, RansomHub, and DragonForce Ransomware Operations
A threat actor has been identified as being connected to multiple ransomware-as-a-service (RaaS) operations, including Play, RansomHub, and DragonForce. The actor executed a sophisticated intrusion in September 2024, deploying various malware and tools to achieve persistence, escalate privileges, and exfiltrate data. The attack began with a malicious file disguised as DeskSoftβs EarthTime application, which deployed SectopRAT malware. The actor used multiple tools and techniques to evade detection and disable security features, including SystemBC, PowerShell scripts, and legitimate utilities like PsExec. The final goal appeared to be ransomware deployment, but no encryption was executed. Instead, data was archived and exfiltrated via FTP. The actor's toolset and techniques link them to three distinct RaaS operations, indicating a versatile and well-resourced threat actor.
GhostAction GitHub supply chain attack steals 3,325 secrets
A supply chain attack, dubbed GhostAction, has compromised 3,325 secrets across 817 GitHub repositories. The attack began on September 2, 2025, and involved injecting malicious GitHub Actions workflows into repositories to exfiltrate secrets. The attack targeted various ecosystems, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. The compromised secrets could potentially be used to release malicious or trojanized packages. The attack was discovered by GitGuardian researchers on September 5, 2025. The exfiltration endpoint was taken down shortly after the campaign was discovered. The attack impacted at least nine npm and 15 PyPI packages, and potentially affected the entire SDK portfolio of several companies. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials.
SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign
A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.