A series of cyber attacks have been detected targeting the energy sector in Kazakhstan, with a suspected Russian threat actor behind the malicious activities. Dubbed Operation BarrelFire, the attacks are linked to a new threat group known as Noisy Bear and have been ongoing since April 2025.
The attacks specifically target employees of KazMunaiGas (KMG) by sending phishing emails containing malicious ZIP attachments. These attachments include a Windows shortcut downloader, a decoy document related to KMG, and a README.txt file with instructions to run a program named “KazMunayGaz_Viewer.”
The phishing emails were sent from compromised email accounts within KMG’s finance department, indicating a targeted approach towards the organization. The malicious payloads dropped by the LNK file include a batch script and a PowerShell loader called DOWNSHELL, leading to the deployment of a DLL-based implant for further exploitation.
Further investigation into the threat actor’s infrastructure revealed that it is hosted on a Russia-based bulletproof hosting service provider called Aeza Group, which was sanctioned by the U.S. in July 2025 for facilitating malicious activities.
In a separate development, a threat actor aligned with Belarus, known as Ghostwriter, has been linked to campaigns targeting Ukraine and Poland since April 2025. These campaigns involve rogue ZIP and RAR archives containing malicious payloads aimed at collecting information and deploying implants for further exploitation.
The attacks on Poland utilize Slack as a beaconing mechanism and data exfiltration channel, downloading a second-stage payload to establish contact with a specific domain. In one instance, a Cobalt Strike Beacon was loaded through a macro-laced Excel spreadsheet to facilitate post-exploitation activities.
Meanwhile, Russian organizations have faced renewed extortion attacks by a group called OldGremlin, using phishing email campaigns and techniques like bring your own vulnerable driver (BYOVD) to disable security solutions and execute malicious scripts. Additionally, phishing attacks in Russia have delivered a new information stealer called Phantom Stealer, designed to collect sensitive information using email baits related to adult content.
Other cyber threats targeting Russian entities include hacking groups such as Cloud Atlas, PhantomCore, and Scaly Wolf, deploying malware families like VBShower, PhantomRAT, and PhantomRShell. A new Android malware posing as an antivirus tool from Russia’s Federal Security Services agency has also been discovered, targeting Russian businesses by exfiltrating data and logging keystrokes.
Cyber Attacks Reported Against Russia
Overall, the cybersecurity landscape in the region remains complex, with threat actors continuously evolving their tactics to target organizations and individuals for financial gain or espionage purposes. Vigilance and proactive security measures are essential to mitigate the risks posed by these malicious actors.
