Operation BarrelFire: Targeting Kazakhstan Oil & Gas
Sept. 5, 2025, 7:48 p.m.
Description
A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, which downloads a batch script, leading to PowerShell loaders (DOWNSHELL) and ultimately a malicious DLL implant. The threat actor uses various techniques including AMSI bypass, process injection, and reflective DLL loading. Infrastructure analysis reveals the use of sanctioned hosting providers and open-source post-exploitation tools. The group is believed to be of Russian origin based on language artifacts and targeting patterns.
Tags
Date
- Created: Sept. 5, 2025, 5:17 p.m.
- Published: Sept. 5, 2025, 5:17 p.m.
- Modified: Sept. 5, 2025, 7:48 p.m.
Indicators
- fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8
- f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26
- da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf
- d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97
- a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c
- 6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b
- 5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386
- 26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee
- 1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0
- 1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d
- 021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6
- 77.239.125.41
- 178.159.94.8
- wellfitplan.ru
Additional Informations
- Energy
- Kazakhstan