216.73.217.139

Operation BarrelFire: Targeting Kazakhstan Oil & Gas

· Published 05/09/2025 17:17 · Modified 05/09/2025 19:48

Export JSON

Essential information

Published
05/09/2025 17:17
Modified
05/09/2025 19:48
Tags
2025-09-04 2025-09-05 amsi bypass central asia dll injection downshell infrastructure kazakhstan oil and gas powershell russian threat actor spear-phishing
Related entities
14 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware, 2 others

Description

A threat group dubbed NoisyBear has been targeting 's sector since April 2025. The campaign focuses on KazMunaiGas employees, using emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, which downloads a batch script, leading to loaders () and ultimately a malicious DLL implant. The threat actor uses various techniques including , process injection, and reflective DLL loading. analysis reveals the use of sanctioned hosting providers and open-source post-exploitation tools. The group is believed to be of Russian origin based on language artifacts and targeting patterns.

External references