VERY IMPORTANT

A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025, particularly focusing on KazMunaiGas employees. The campaign uses spear-phishing emails with malicious ZIP attachments containing LNK files. These files download batch scripts, which in turn retrieve PowerShell loaders dubbed DOWNSHELL. The infection chain progresses through multiple stages, ultimately leading to the deployment of a malicious DLL implant. The threat actor employs various techniques to evade detection, including AMSI bypass and reflective DLL injection. The infrastructure used by NoisyBear is hosted on sanctioned web services, and the group is suspected to be of Russian origin based on language artifacts and targeting patterns.