A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.
The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.
“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.
The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”
The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.
The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.
Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.
The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.
“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”
Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.
The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.
At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.
“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.
Cyber Attacks Reported Against Russia
The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.
The intrusions, per Kaspersky, involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts.
Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium, to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer.
According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others.
“This is likely later used for ‘sextortion,'” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.”
In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower, PhantomRAT, and PhantomRShell.
Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation.
First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services.
“The app’s interface provides only one language – Russian,” Doctor Web said. “Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.”
