VERY IMPORTANT

A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, which downloads a batch script, leading to PowerShell loaders (DOWNSHELL) and ultimately a malicious DLL implant. The threat actor uses various techniques including AMSI bypass, process injection, and reflective DLL loading. Infrastructure analysis reveals the use of sanctioned hosting providers and open-source post-exploitation tools. The group is believed to be of Russian origin based on language artifacts and targeting patterns.