The threat actors of Russian origin probably stem from a new set of attacks targeting Kazakhstan’s energy sector.
The activity, known as the codename for Operation Barrelfire, is tied to a new threat group that Seqrite Labs tracks as a noisy bear. Threat actors have been active since at least April 2025.
“The campaign is aimed at Kazumunaigus or KMG employees who have threat entities providing fake documents related to the KMG IT department, mimicking official internal communications, and leveraging themes such as policy updates, internal certification procedures, and pay adjustments.
The infection chain begins with a phishing email containing a Windows Shortcut (LNK) downloader, decoy documents related to Kazmunaigas, and a zip attachment containing a readme.txt file written in both Russian and Kazakh, and instructions for running a program named “kazmunaygaz_viewer”.
According to the cybersecurity company, the email was sent in May 2025 from a compromised email address of an individual working in the finance department of Kazumunaigas and targeted other employees of the company.
The LNK file payload is designed to drop additional payloads, including malicious batch scripts that pave the way for a PowerShell loader called a downshell. The attack culminates in the deployment of DLL-based implants. This is a 64-bit binary that allows you to run shellcode and launch a reverse shell.
Further analysis of the threat actor’s infrastructure revealed that it is hosted at Aeza Group, Russia-based bulletproof hosting (BPH) service provider.
The development was carried out by Harfanglab, a Belarusian threat actor known as Ghostwriter (Frostyneighbor or UNC1151), in a campaign targeting Ukraine and Poland since April 2025, and a campaign aimed at gathering information about the equipped systems and deploying implants for implantation for penetration.
“These archives contain XLS spreadsheets with VBA macros that drop and load DLLs,” said the French cybersecurity company. “The latter is responsible for collecting information about the compromised system and obtaining the next stage of malware from the Command and Control (C2) server.”
Subsequent iterations of the campaign are known to write Microsoft Cabinet (CAB) files along with LNK shortcuts to extract and run DLLs from Archive. The DLL then conducts initial reconnaissance before dropping the next stage of malware from the external server.
Meanwhile, an attack targeting Poland coordinates the attack chain, using Slack as a beacon mechanism and data exfiltration channel, and downloads two stages of payload that establishes contact with the domain peshack in return[.]ICU.
In at least one example, DLLs dropped via macro race Excel spreadsheets are used to load cobalt strike beacons, facilitating further activity after exposure.
“These small changes suggest that UAC-0057 is likely to try to avoid detection, but they are likely to prioritize continuity or development of its operationality over stealth and refinement,” Harfanglab said.
Cyberattacks reported against Russia
The findings emerged amid the new Old Gremlin’s fearful attack on Russian companies in the first half of 2025, targeting eight large domestic industrial companies using a phishing email campaign.
The Kaspersky-by-Kaspersky intrusion has run a malicious script, including bringing in your own Vulnerable Driver (BYOVD) technique to disable the victim’s computer and the legitimate node.js interpreter security solution.
The phishing attack targeting Russia also provided a new information steeler called Phantom Stealer, called the open source steeler codenamed Steeler, to collect a wide range of sensitive information using adult content and email baits related to payments. It also shares a duplicate with another Stealerium derivative known as Warp Stealer.
According to F6, Phantom Stealer inherits Stealerium’s “Porndetector” module, which captures webcam screenshots when users visit porn websites by keeping tabs in their active browser windows, and also inherits whether the title contains a configurable list of porn or sex.
“This is likely to be used later for ‘sexttorth’,” Proofpoint said in its own analysis of the malware. “This feature is not novel among cybercrime malware, but it’s not much observed.”
Over the past few months, Russian organizations have also been on the receivers of attacks carried out by hacking groups tracked as Cloud Atlas, Phantomcore, and Scully Wolves, harvesting sensitive information and using malware families such as VBShower, Phantomrat, and Phantomrshell to provide additional payloads.
Another cluster of activities includes new Android malware that pretends to be antivirus tools created by the Russian Federal Security Services Agency (FSB) for Russian business representatives to elect representatives of Russian companies. The app is an attempt to pass security_fsb, pig (Russian in FSB), and the last name as the central bank of the Russian Federation.
First discovered in January 2025, malware removes data from Messenger and browser apps, streams from phone cameras, excludes Log Keystrokes, and asks for extensive permissions to access SMS messages, locations, audio and cameras. It also requires background execution, device administrator rights and accessibility services.
“The app’s interface only offers one language in Russian,” Doctor Web said. “Therefore, the malware is completely focused on Russian users. Backdoors protect against being removed using accessibility services if they receive a corresponding command from a threat actor.”
Source link
