A menace actor probably of Russian origin has been attributed to a brand new set of assaults concentrating on the vitality sector in Kazakhstan.
The exercise, codenamed Operation BarrelFire, is tied to a brand new menace group tracked by Seqrite Labs as Noisy Bear. The menace actor has been lively since no less than April 2025.
“The marketing campaign is focused in direction of staff of KazMunaiGas or KMG the place the menace entity delivered a faux doc associated to the KMG IT division, mimicking official inner communication and leveraging themes corresponding to coverage updates, inner certification procedures, and wage changes,” safety researcher Subhajeet Singha mentioned.
The an infection chain begins with a phishing e-mail containing a ZIP attachment, which features a Home windows shortcut (LNK) downloader, a decoy doc associated to KazMunaiGas, and a README.txt file with directions written in each Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”
The e-mail, per the cybersecurity firm, was despatched from a compromised e-mail deal with of a person working within the finance division of KazMunaiGas and focused different staff of the agency in Might 2025.
The LNK file payload is designed to drop extra payloads, together with a malicious batch script that paves the way in which for a PowerShell loader dubbed DOWNSHELL. The assaults culminate with the deployment of a DLL-based implant, a 64-bit binary that may run shellcode to launch a reverse shell.
Additional evaluation of the menace actor’s infrastructure has revealed that it is hosted on the Russia-based bulletproof internet hosting (BPH) service supplier Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious actions.
The event comes as HarfangLab linked a Belarus-aligned menace actor often known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns concentrating on Ukraine and Poland since April 2025 with rogue ZIP and RAR archives which are aimed toward gathering details about compromised techniques and deploying implants for additional exploitation.
“These archives comprise XLS spreadsheets with a VBA macro that drops and hundreds a DLL,” the French cybersecurity firm mentioned. “The latter is accountable for gathering details about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”
Subsequent iterations of the marketing campaign have been discovered to write down a Microsoft Cupboard (CAB) file together with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct preliminary reconnaissance earlier than dropping the next-stage malware from the exterior server.
The assaults concentrating on Poland, however, tweak the assault chain to make use of Slack as a beaconing mechanism and knowledge exfiltration channel, downloading in return a second-stage payload that establishes contact with the area pesthacks[.]icu.
A minimum of in a single occasion, the DLL dropped by way of the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate additional post-exploitation exercise.
“These minor adjustments recommend that UAC-0057 could also be exploring options, in a possible try to work round detection, however prioritizes the continuity or improvement of its operations over stealthiness and class,” HarfangLab mentioned.
Cyber Assaults Reported Towards Russia
The findings come amid OldGremlin’s renewed extortion assaults on Russian firms within the first half of 2025, concentrating on as many as eight massive home industrial enterprises utilizing phishing e-mail campaigns.
The intrusions, per Kaspersky, concerned the usage of the convey your individual susceptible driver (BYOVD) approach to disable safety options on victims’ computer systems and the reputable Node.js interpreter to execute malicious scripts.
Phishing assaults aimed toward Russia have additionally delivered a brand new data stealer referred to as Phantom Stealer, which is predicated on an open-source stealer codenamed Stealerium, to gather a variety of delicate data utilizing e-mail baits associated to grownup content material and funds. It additionally shares overlaps with one other Stealerium offshoot often known as Warp Stealer.
In accordance with F6, Phantom Stealer additionally inherits Stealerium’s “PornDetector” module that captures webcam screenshots when customers go to pornographic web sites by maintaining tabs on the lively browser window and whether or not the title features a configurable record of phrases like porn, and intercourse, amongst others.
“That is probably later used for ‘sextortion,'” Proofpoint mentioned in its personal evaluation of the malware. “Whereas this function is just not novel amongst cybercrime malware, it isn’t typically noticed.”
In latest months, Russian organizations have additionally been on the receiving finish of assaults perpetrated by hacking teams tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to reap delicate data and ship extra payloads utilizing malware households corresponding to VBShower, PhantomRAT, and PhantomRShell.
One other cluster of exercise includes a brand new Android malware that masquerades as an antivirus device created by Russia’s Federal Safety Providers company (FSB) to single out representatives of Russian companies. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the final of which is an try to move off because the Central Financial institution of the Russian Federation.
First found in January 2025, the malware exfiltrates knowledge from messenger and browser apps, stream from the telephone’s digital camera, and log keystrokes by in search of in depth permissions to entry SMS messages, location, audio, digital camera. It additionally requests for operating within the background, system administrator rights, and accessibility companies.
“The app’s interface supplies just one language – Russian,” Physician Net mentioned. “Thus, the malware is fully centered on Russian customers. The backdoor additionally makes use of accessibility companies to guard itself from being deleted if it receives the corresponding command from the menace actors.”
