Noisy Bear Ran BarrelFire Phishing Campaign Targeting Kazakhstan Energy Sector
“A phishing campaign called BarrelFire is targeting the Kazakhstan Energy Sector, which is run by Noisy Bear.”
A fresh round of attacks against Kazakhstan’s energy sector has been linked to a threat actor, potentially of Russian origin.
Operation BarrelFire, the codename for the operation, is associated with a new threat organization that Seqrite Labs is tracking as Noisy Bear. Since at least April 2025, the threat actor has been active.
Subhajeet Singha, Security Researcher
| “Targeting KazMunaiGas or KMG personnel, the threat entity sent a fictitious paper about the KMG IT department that imitated official internal communications and used topics like policy revisions, internal certification processes, and pay adjustments.” |
The infection chain starts with a phishing email that has a ZIP attachment that contains a Windows shortcut (LNK) downloader, a KazMunaiGas-related fake document, and a README.txt file that contains instructions in Kazakh and Russian on how to execute a software called “KazMunayGaz_Viewer.”
According to the cybersecurity firm, in May 2025, the email targeted additional KazMunaiGas personnel and was sent using a compromised email address belonging to a person who worked in the company’s financial department.
Additional payloads, such as a malicious batch script that opens the door for a PowerShell loader called DOWNSHELL, are intended to be dropped by the LNK file payload. The deployment of a DLL-based implant, a 64-bit program capable of executing shellcode to initiate a reverse shell, marks the conclusion of the attacks.
Aeza Group, a Russia-based bulletproof hosting (BPH) service provider that was sanctioned by the United States in July 2025 for facilitating malicious operations, is the host of the threat actor’s infrastructure, according to additional investigation.
This comes after HarfangLab connected campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that aim to gather data about compromised systems and install implants for additional exploitation by a Belarus-aligned threat actor called Ghostwriter (also known as FrostyNeighbor or UNC1151).
French Cybersecurity Company
| “According to the French cybersecurity firm, these archives include XLS spreadsheets with a VBA code that loads and drops a DLL. The latter is in charge of gathering data about the infected machine and obtaining malware that is in the following step from a command-and-control (C2) server.” |
It has been discovered that later versions of the campaign write a Microsoft Cabinet (CAB) file and the LNK shortcut to launch and extract the DLL from the archive. After doing preliminary reconnaissance, the DLL drops the subsequent malware from the external server.
On the other hand, the attacks directed toward Poland modify the attack chain to employ Slack as a data exfiltration channel and beaconing method, downloading a second-stage payload in exchange that connects to the domain pesthacks[.]icu.
In at least one case, a Cobalt Strike Beacon is loaded via the DLL delivered through the Excel spreadsheet with the macro embedded in order to enable additional post-exploitation activity.
HarfangLab
| “These small adjustments imply that UAC-0057 is considering other options, most likely in an effort to evade detection, but puts the expansion or continuation of its activities ahead of secrecy and complexity.” |
Cyber Attacks Reported Against Russia
The results coincide with OldGremlin’s resurgent extortion attempts against Russian businesses in the first half of 2025, which used phishing email campaigns to target up to eight sizable domestic industrial corporations.
According to Kaspersky, the intrusions used the legitimate Node.js interpreter to run malicious scripts and the bring your own vulnerable driver (BYOVD) approach to disable security solutions on victims’ PCs.
A new information stealer called Phantom Stealer, which is based on the open-source stealer codenamed Stealerium, has also been made available by phishing assaults targeting Russia. It uses email bait about payments and sexual content to gather a variety of sensitive data. Additionally, it has similarities to Warp Stealer, another Stealerium spinoff.
F6 claims that Phantom Stealer also inherits Stealerium’s “PornDetector” module, which records webcam screenshots when users visit pornographic websites by monitoring the active browser window and whether the title contains a list of customizable terms such as sex and porn, among others.
Proofpoint
| “This is likely later used for ‘sextortion,'” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.” |
Hacking groups known as Cloud Atlas, PhantomCore, and Scaly Wolf have also attacked Russian organizations in recent months in an effort to obtain private data and distribute extra payloads using malware families like VBShower, PhantomRAT, and PhantomRShell.
A new Android malware that poses as an antivirus program and was developed by Russia’s Federal Security Services agency (FSB) to target Russian company representatives is the subject of another cluster of activity.
These apps are called SECURITY_FSB, GuardCB (which is an attempt to impersonate the Central Bank of the Russian Federation), and ФCБ (FSB in Russian). The malware, which was first identified in January 2025, captures keystrokes, streams from the phone’s camera, and exfiltrates data from chat and browser apps by requesting extended rights to access the location, audio, camera, and SMS messages.
Additionally, it asks for accessibility services, device administrator rights, and background operation.
Doctor Web
| “Russian is the only language available on the app’s UI, according to Doctor Web. Therefore, Russian users are the only target of the infection. Additionally, the backdoor makes use of accessibility services to prevent deletion in the event that the threat actors give it the appropriate instruction.” |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
About Author
English