A threat actor possibly of Russian origin has been attributed to a new campaign targeting Kazakhstan’s energy sector. The activity, codenamed Operation BarrelFire, is attributed to a threat group tracked by Seqrite Labs as Noisy Bear and has been active since at least April 2025.
Seqrite Labs described the campaign as an intrusion aimed at KazMunaiGas (KMG) employees. It delivered a fake document related to the KMG IT department, mimicking official internal communications and leveraging themes such as policy updates, internal certification procedures, and salary adjustments, according to security researcher Subhajeet Singha.
The infection chain begins with a phishing email containing a ZIP attachment. The archive includes a Windows shortcut (LNK) downloader, a decoy KazMunaiGas document, and a README.txt with instructions in Russian and Kazakh to run a program named “KazMunayGaz_Viewer.” The email reportedly originated from a compromised KazMunaiGas finance department address and targeted additional employees in May 2025.
According to Seqrite, the LNK payload drops further components, including a malicious batch script that loads a PowerShell loader dubbed DOWNSHELL. The operation culminates in a DLL-based implant, a 64‑bit binary capable of executing shellcode to open a reverse shell and establish persistence.
Further analysis of the threat actor’s infrastructure indicates it is hosted on a Russia-based bulletproof hosting provider, Aeza Group—a detail noted by security researchers and linked to sanctions in July 2025 for enabling malicious activities. In parallel analyses, HarfangLab linked additional activity to a Belarus‑aligned actor known as Ghostwriter (also referred to as FrostyNeighbor or UNC1151) with campaigns in Ukraine and Poland since April 2025 using rogue archives to deploy implants.
Researchers observed that some campaigns use archives containing Excel XLS spreadsheets with a VBA macro that drops and loads the DLL, which then performs initial reconnaissance before contacting a command-and-control server for the next stage. In Poland, the DLL has also been observed to beacon through Slack and download a second-stage payload that communicates with a rogue domain for exfiltration. In at least one instance, the macro-laced Excel spreadsheet drops a DLL that loads a Cobalt Strike Beacon to facilitate post‑exploitation activities.
Security firms note that Noisy Bear appears to be exploring alternatives to evade detection, while prioritizing continued operations over stealth. The broader context includes related activity against Russia, with various groups targeting Russian companies via phishing and information-stealing campaigns, and the emergence of Android‑based spyware masquerading as an FSB tool aimed at Russian business representatives.
Kazakhstan’s KazMunayGas subsequently dismissed Seqrite’s findings as a phishing training exercise, with local media reporting the described screenshots as part of a May phishing test conducted by the company. The development has fueled ongoing debate about the accuracy of public threat reports versus corporate training exercises in shaping public understanding of cyber threats.
Beyond the Kazakh case, researchers note continued cyber activity in the region, including Cloud Atlas and other Russian-aligned groups pursuing data exfiltration and deployment of additional implants. For context, Cloud Atlas has been linked to various campaigns, and Phantom/Stealerium‑based tools have targeted a range of victims with infostealer capabilities. For more on the broader landscape, researchers point to related analyses and independent investigations from industry groups and researchers.