{
	"id": "e2e6d9b4-13ce-438b-9316-0325a28b18b2",
	"created_at": "2026-04-06T00:06:28.849068Z",
	"updated_at": "2026-04-10T03:21:53.059176Z",
	"deleted_at": null,
	"sha1_hash": "3f0ae885610798d93dd06111427a8694b7ae4fd7",
	"title": "Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil \u0026 Gas Sector.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1261207,
	"plain_text": "Operation BarrelFire: NoisyBear targets entities linked to\r\nKazakhstan’s Oil \u0026 Gas Sector.\r\nBy Subhajeet Singha\r\nPublished: 2025-09-04 · Archived: 2026-04-05 16:35:10 UTC\r\nRecent Development: KMG Group of Companies Confirm Simulation, Not a Real Attack\r\nThankfully, as KMG has publicly acknowledged, this was not an actual cyberattack but an internal simulation\r\nexercise.\r\nContents\r\nIntroduction\r\nKey Targets\r\nIndustries Affected.\r\nGeographical Focus.\r\nInfection Chain.\r\nInitial Findings\r\nLooking into the malicious email.\r\nLooking into the decoy-document.\r\nTechnical Analysis\r\nStage 0 – Malicious ZIP \u0026 LNK files.\r\nStage 1 – Malicious BATCH scripts.\r\nStage 2 – Malicious DOWNSHELL loaders.\r\nStage 3 – Malicious DLL implant.\r\nInfrastructure and Hunting.\r\nAttribution\r\nConclusion\r\nSeqrite Protection.\r\nIOCs\r\nMITRE ATT\u0026CK.\r\nAuthors: Subhajeet Singha \u0026 Sathwik Ram Prakki\r\nIntroduction\r\nSeqrite Labs APT-Team has been tracking and uncovered a supposedly new threat group since April 2025, that we\r\ntrack by the name Noisy Bear as Noisy Bear. This threat group has targeted entities in Central Asia, such as\r\ntargeting the Oil and Gas or energy sector of Kazakhstan. The campaign is targeted towards employees of\r\nKazMunaiGas or KMG where the threat entity delivered a fake document related to KMG IT department,\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 1 of 15\n\nmimicking official internal communication and leveraging themes such as policy updates, internal certification\r\nprocedures, and salary adjustments.\r\nIn this blog, we will explore the in-depth technical details of the campaign, we encountered during our analysis.\r\nWe will examine the various stages of this campaign, where infection starts with a phishing email having a ZIP\r\nattachment, which contains a malicious LNK downloader along with a decoy, which further downloads a\r\nmalicious BATCH script, leading to PowerShell loaders, which we dubbed as DOWNSHELL reflectively loading\r\na malicious DLL implant. We will also look into the infrastructure covering the entire campaign.\r\nKey Targets\r\nIndustries Affected\r\nEnergy Sector [Oil and Gas]\r\nGeographical Focus\r\nKazakhstan\r\nInfection Chain\r\nInitial Findings\r\nInitially, we have been tracking this threat actor since April 2025, and we observed that this threat entity launched\r\na campaign against KazMunaiGas employees in May 2025 using a spear-phishing-oriented method. A\r\ncompromised business email was used to deliver a malicious ZIP file, which contained a decoy along with a\r\nmalicious initial infection-based shortcut (.LNK) file known as График зарплат.lnk, which can be translated to\r\nSalary Schedule.lnk. The sample initially surfaced on Virus Total in the first half of May 2025.\r\nNow, let us look into the malicious email and decoy file.\r\nLooking into the malicious email\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 2 of 15\n\nInitially, looking into the email file’s sender, we found that the threat actor used a compromised business email of\r\nan individual working in Finance Department of KazMunaiGas, using the email and an urgent prioritized subject\r\nURGENT! Review the updated salary schedule, they emailed it to the employees of KMG.\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 3 of 15\n\nLater, upon looking at the contents of the email, it became clear that the message was mostly crafted to look like\r\nan internal HR communication related to salary-oriented discussion or decision. The message basically says about\r\nreviewing an updated information about lot of things such as work schedules, salaries and incentives related\r\npolicies and decisions. The TA also instructs the targets of KMG to check for a file known as График.zip\r\ntranslated to Schedule.zip and then to open a file known as График зарплат which translates to Salary Schedule\r\n, which is basically the shortcut (LNK) file to be executed to download further stagers.\r\nWell, last but not the least, the email also mentions to complete the instructions by 15th May 2025 enhancing a\r\nsense of urgency. Now, let us go ahead and analyze the decoy file.\r\nLooking into the decoy-document\r\nLooking into the decoy document, we can see that it has an official logo of the targeted entity I.e., KazMunaiGas,\r\nalong with instructions in both Russian and Kazakh language which instructs the employees through a series of\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 4 of 15\n\nsimple steps which is to open the Downloads folder in the browser, extract a ZIP archive named\r\nKazMunayGaz_Viewer.zip, and run a file called KazMunayGaz_Viewer, although the file-name is irrelevant, but\r\nwe believe, this is the exact file dropped from the malicious email. The decoy also mentions users to wait for a\r\nconsole window to appear and specifically advised them not to close or interact with it, to limit suspicion on\r\ntargets’ ends. Last, not the least, it also mentions the IT-Support team in salutations to make it look completely\r\nlegitimate, with above artefacts present in the decoy.\r\nTechnical Analysis\r\nWe have divided the technical analysis into four parts, where initially we will look into the malicious ZIP\r\ncontaining the LNK file, which further downloads the malicious Batch script, and going ahead with downloading\r\nthe script-based loader followed by the malicious DLL.\r\nStage 0 – Malicious ZIP \u0026 LNK Files.\r\nInitially, looking into the ZIP file, we found three files, out of which one of them stands to be the decoy document,\r\nwhich we saw initially, the second one turns out to be README.txt, which once again makes sure that the\r\ninstructions are present, so that it does not seem suspicious and the later one turns out to be malicious LNK file.\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 5 of 15\n\nNow, upon looking into the malicious shortcut(.LNK) file, named as График зарплат , we found that is using\r\npowershell.exe LOLBIN to execute a downloader-based behavior.\r\nIt downloads a malicious batch script known as 123.bat, from a remote-server, which is\r\nhxxps[://]77[.]239[.]125[.]41[:]8443 and once it is downloaded, it stores the batch script under the path\r\nC:\\Users\\Public, it then executes the batch script using the Start-Process cmdlet from the path.\r\nSimilarly, hunting for similar LNK file, we found another LNK, which belongs to the same campaign, looks\r\nslightly different.\r\nThis malicious LNK file, uses a little operand shenanigan to avoid static signature detection, but concatenation of\r\nthe string literals and further downloading a batch script from the same remote server, saving it to the Public\r\nfolder, further executing it via cmdlet.\r\nIn, the next section, we will examine the malicious BATCH scripts.\r\nStage 1 – Malicious BATCH Scripts\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 6 of 15\n\nNow, looking into the one of the BATCH scripts, I.e., it.bat , we can see that it is downloading PowerShell\r\nLoaders, which we have dubbed as DOWNSHELL, from a remote server known as support.ps1 and a.ps1, once\r\nthey are downloaded, it then sleeps for a total of 11 seconds.\r\nNow, looking into the second batch script I.e., the 123.bat file, it also does the same which is downloading the\r\nPowerShell loaders, followed by a sleep of 10 seconds.\r\nIn the next section, we will move ahead to understanding the working of the DOWNSHELL loaders written in\r\nPowerShell.\r\nStage 2 – Malicious DOWNSHELL Loaders\r\nIn, this section we will look into the set of malicious PowerShell scripts, which we have dubbed as\r\nDOWNSHELL, the first PowerShell file, also known as support.ps1 is basically a script which is responsible for\r\nimpairing defense on the target machine and the latter is responsible for performing loader-oriented function.\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 7 of 15\n\nLooking into the code, we figured out that the script is basically obfuscating, the target namespace by building\r\n“System.Management.Automation” via string concatenation, then enumerates all loaded .NET assemblies in the\r\ncurrent AppDomain and filters for the one whose FullName matches that namespace.\r\nThen, using reflection technique, it resolves the internal type System.Management.Automation.AmsiUtils, which\r\nbasically retrieves the private static field amsiInitiFailed, so changing or flipping this flag convinces PowerShell\r\nthat the AMSI has failed to initialize, so the other malicious script belonging to DOWNSHELL family, does not\r\nget scanned and executes without any hassle or interruption. Now, let us look into the second PowerShell script.\r\nLooking into the first part of the code, it looks like a copied version of the famous red-team emulation-based tool\r\nknown as PowerSploit, the function LookUpFunc basically dynamically retrieves the memory address of any\r\nexported function from a specified DLL without using traditional DllImport or Add-Type calls. It performs this by\r\nlocating the Microsoft.Win32.UnsafeNativeMethods type within the already-loaded System.dll assembly, then\r\nextracting and invoking the hidden .NET wrappers for GetModuleHandle and GetProcAddress. By first resolving\r\nthe base address of the target module ($moduleName) and then passing it along with the target function name\r\n($functionName), it returns a raw function pointer to that API, which is required.\r\nThen, looking into the second part of the code, the function getDelegateType basically creates a custom .NET\r\ndelegate on the fly, entirely in memory. It takes the parameter types and returns certain type, builds a new delegate\r\nclass with those, and gives it an Invoke method so it can be used like a normal function. This lets the entire script\r\nwrap the raw function pointers (from LookupFunc) into something PowerShell can call directly, making it easy to\r\nrun WinAPI functions without having to import them in the usual way, followed by querying the process ID of the\r\nexplorer.exe process and storing it inside a variable.\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 8 of 15\n\nThe latter part of the script is followed by a byte array containing the meterpreter reverse_tcpshellcode, which is\r\nbasically using classical Create-RemoteThread Injection technique using OpenProcess, VirtualAllocEx,\r\nWriteProcessMemory \u0026 CreateRemoteThread to inject the shellcode inside the target process which is\r\nexplorer.exe , followed by a message Injected! Check your listener!.\r\nWell, an interesting part of this script is some part of this is commented, which performs Reflective DLL injection\r\ninto remote process, which is notepad in this case, using a tool known as PowerSploit , hosted at the remote\r\nserver, which is downloaded, and the Meterpreter based DLL is being used. Another slight interesting case are the\r\ncomments in Russian Language. In the next case, we will examine the DLL.\r\nStage 3 – Malicious DLL Implant\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 9 of 15\n\nInitially, we did check out the DLL implant, in a PE-analysis tool, and it was confirmed that the DLL implant or\r\nshellcode loader is a 64-bit binary.\r\nNext, moving ahead with the code, we saw that the implant is using Semaphores as a sort of gatekeeper to make\r\nsure only one copy of itself runs at a time, in this case the implant uses a named object\r\nLocal\\doSZQmSnP12lu4Pb5FRD. When it starts, it tries to create this semaphore then if it already exists, that\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 10 of 15\n\nmeans another instance is active. To double-check, it uses WaitForSingleObject on the semaphore and then looks\r\nfor a specific named event. If the event exists, it knows another instance has already completed its setup. If it\r\ndoesn’t, it creates the event itself.\r\nNow, depending on the previous function, which is responsible for checking the number of instances, the next step\r\nis it spawns a rundll32.exe process in a suspended manner.\r\nAfter creating the process in a suspended state, the implant performs classic thread-context hijacking: it calls\r\nGetThreadContext on the primary thread, uses VirtualAllocEx to reserve RWX memory in the target,\r\nWriteProcessMemory to drop the shellcode, updates the thread’s RIP to point to that buffer via SetThreadContext,\r\nand finally calls ResumeThread so execution continues at the injected shellcode. In this case, the shellcode\r\nbasically is a reverse shell.\r\nInfrastructure \u0026 Hunting\r\nUpon looking into the infrastructure, the threat entity had been using, we found a few slightly interesting details\r\nabout it.\r\nTool-Arsenal\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 11 of 15\n\nAlong, with the tools, which we saw had been used by the threat actor, we also found that there are more open-source red-team oriented tools, which had been hosted by the threat actor for further usage.\r\nPivoting\r\nUsing similar fingerprint, we hunted a similar infrastructure, which belongs to the similar threat actor.\r\nOne of most interesting part, being both the infrastructure is hosted under a sanctioned hosting firm known as\r\nAeza Group LLC.\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 12 of 15\n\nAnother interesting part is, we also discovered a lot of suspicious web applications being hosted, related to\r\nwellness, fitness and health assistance for Russian individuals.\r\nAttribution\r\nAttribution is a very important metric when describing a threat entity. It involved analyzing and correlating\r\nvarious domains, which include Tactics, Techniques and Procedures (TTPs), operational mistakes, rotation and re-use of similar infrastructural artefacts, operational mistakes which could lead to attribution and much more.\r\nIn our ongoing tracking of Noisy Bear, we have a lot of artefacts, such as languages present inside the tooling,\r\nusage of sanctioned web-hosting services and similar behavioral artefacts with related to Russian threat entities\r\nwhich have previously targeted similar Central Asian nations, we attribute the threat actor possibly could be of\r\nRussian origin.\r\nConclusion\r\nWe have found that a threat entity, dubbed as NoisyBear is targeting Kazakh Energy Sector using company\r\nspecific lure while heavily depending on PowerShell and open-source post-exploitation tools such as Metasploit,\r\nhosting them over a sanctioned web-hosting provider, we can also conclude that the threat actor has been active\r\nsince the month of April 2025.\r\nSEQRITE Protection\r\nTBD\r\nIOCs\r\nFile-Type SHA-256\r\nOutlook 5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386\r\nZIP 021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 13 of 15\n\nZIP f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26\r\nLNK a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c\r\nLNK 26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee\r\nBatch Script d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97\r\nBatch Script 1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0\r\nPowerShell da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf\r\nPowerShell 6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b\r\nPowerShell fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8\r\nDLL 1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d\r\nDomains/IPs\r\n77[.]239[.]125[.]41\r\nwellfitplan[.]ru\r\n178[.]159[.]94[.]8\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nReconnaissance T1589.002 Gather Victim Identity Information: Email Addresses\r\nInitial Access\r\nT1204.002\r\nT1078.002\r\nUser Execution: Malicious File\r\nValid Accounts: Domain Accounts\r\nExecution\r\nT1059.001\r\nT1059.00\r\nCommand and Scripting Interpreter: PowerShell\r\nDefense Evasion T1562\r\nT1027.007\r\nT1027.013\r\nT1055.003\r\nT1620\r\nImpair Defenses\r\nDynamic API Resolution\r\nEncrypted/Encoded File\r\nThread Execution Hijacking\r\nReflective Code Loading\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 14 of 15\n\nT1218.011 System Binary Proxy Execution: Rundll32\r\nCommand and Control T1105 Ingress Tool Transfer\r\nExfiltration T1567.002 Exfiltration to Cloud Storage\r\nFooter note:\r\nClarification\r\nSome cybersecurity outlets represented Seqrite’s findings in a manner that suggested “NoisyBear compromised a\r\nKazMunayGas finance employee’s mailbox in May and used it to send phishing emails.” One of the news outlets\r\nalso claimed to have contacted us for comments, but we did not receive any such request.\r\nSeqrite’s Position\r\nAs detailed in our original blog above, our research clearly stated that “the message was mostly crafted to look\r\nlike an internal HR communication,” highlighting that it was likely a spoofed email and not the result of a\r\nmailbox compromise. Our findings, derived from samples in a public malware repository, indicated consistent use\r\nof the Russian language across the email, instruction manual, and payload comments. We also observed that the\r\nC\u0026C infrastructure linked to this campaign was hosted with Aeza Group LLC, a firm sanctioned by the US in July\r\n2025 for enabling cybercriminal activity.\r\nIt is important to note that test IDs and red team tools are commonly used both in simulation exercises and by\r\nwell-known adversaries in real-world cyber operations. In this instance, we acknowledge that the indicators\r\nidentified were generated as part of KMG’s internal phishing exercise, not by an external threat group. We\r\ncontinue to track this activity under the name Operation BarrelFire.\r\nSource: https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nhttps://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/"
	],
	"report_names": [
		"operation-barrelfire-noisybear-kazakhstan-oil-gas-sector"
	],
	"threat_actors": [],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f0ae885610798d93dd06111427a8694b7ae4fd7.pdf",
		"text": "https://archive.orkl.eu/3f0ae885610798d93dd06111427a8694b7ae4fd7.txt",
		"img": "https://archive.orkl.eu/3f0ae885610798d93dd06111427a8694b7ae4fd7.jpg"
	}
}