Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Noisy Bear Kazakhstan oil and gas phishing campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Noisy Bear operation is conducting phishing-based intrusion activity against Kazakhstan's oil and gas sector, creating espionage risk for KazMunayGas and related employees. The activity has been tracked since at least April and extends across Central Asia. Its delivery chain uses a compromised email account, a ZIP lure, and a PowerShell loader to establish covert access.

Related Happenings

FAUX#ELEVATE phishing campaign targeting French-speaking corporate environments

Campaign
First: 24.03.2026 18:35 Last: 24.03.2026 18:35 Sources 1

About this happening: The **FAUX#ELEVATE** phishing campaign is actively targeting **French-speaking corporate environments** with **fake resume/CV lures** that deliver malware for **credential theft**...

Open Happening

Silver Dragon intrusion and phishing campaign targeting Europe, Southeast Asia, and Uzbekistan

Campaign
First: 04.03.2026 10:14 Last: 04.03.2026 10:14 Sources 1

About this happening: The **Silver Dragon** campaign is actively using **public-facing internet servers** and **phishing emails with malicious attachments** to gain initial access, expanding risk acros...

Open Happening

Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign

Campaign
First: 09.02.2026 12:58 Last: 09.02.2026 12:58 Sources 1

About this happening: The **Bloody Wolf / Stan Ghouls** operation is actively running a **spear-phishing campaign** against **Uzbekistan and Russia**, and the activity matters because it is delivering...

Open Happening

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
First: 15.12.2025 18:00 Last: 15.12.2025 18:00 Sources 1

About this happening: **Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...

Open Happening

Russian-origin Ukraine web shell and LotL intrusion campaign

Campaign
First: 29.10.2025 13:51 Last: 29.10.2025 13:51 Sources 1

About this happening: The **Russian-origin** campaign targeted **organizations in Ukraine** with **web shells**, **living-off-the-land tactics**, and dual-use tools to keep **persistent access** and st...

Open Happening

Timeline

  1. 11.09.2025 15:00 2 articles · 8mo ago

    Noisy Bear phishing campaign disclosed against KazMunayGas

    Initial Disclosure

    Seqrite Labs described a Russia-linked threat actor dubbed Noisy Bear targeting KazMunayGas and Kazakhstan's oil and gas industry with phishing emails sent from a compromised KMG finance department account. The lure used a ZIP archive containing a decoy document and a malicious LNK named "Salary Schedule.lnk"; execution downloaded a batch script that retrieved the PowerShell loader DownShell, which used an AMSI bypass, CreateRemoteThread Injection in File Explorer, and a reverse shell for covert access. KazMunayGas denied being attacked and described the activity as a security exercise, while Seqrite Labs pointed to Aeza Group infrastructure and overlaps with other Central Asian attacks.

    Show sources
    Open in new tab