Operation BarrelFire: Targeting Kazakhstan Oil & Gas
Essential information
- Published
- 05/09/2025 17:17
- Modified
- 05/09/2025 19:48
- Tags
- 2025-09-04 2025-09-05 amsi bypass central asia dll injection downshell infrastructure kazakhstan oil and gas powershell russian threat actor spear-phishing
- Related entities
- 14 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware, 2 others
Description
A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, which downloads a batch script, leading to PowerShell loaders (DOWNSHELL) and ultimately a malicious DLL implant. The threat actor uses various techniques including AMSI bypass, process injection, and reflective DLL loading. Infrastructure analysis reveals the use of sanctioned hosting providers and open-source post-exploitation tools. The group is believed to be of Russian origin based on language artifacts and targeting patterns.