A new report from Seqrite Labs APT-Team detailed a previously unknown threat actor, dubbed Noisy Bear, since April this year. The group targeted entities in Central Asia, with a particular focus on Kazakhstan’s oil and gas sector. Investigators said the campaign targeted employees of the state-owned energy company KazMunaiGas, delivering malicious documents disguised as official IT department communications. The lures imitated internal messaging on policy updates, certification procedures, and salary adjustments to trick recipients into opening the files.
“Initially, we have been tracking this threat actor since April 2025, and we observed that this threat entity launched a campaign against KazMunaiGas employees in May 2025 using a spear-phishing-oriented method,” Subhajeet Singha, a security researcher at Seqrite, wrote in a blog post last week. “A compromised business email was used to deliver a malicious ZIP file, which contained a decoy along with a malicious initial infection-based shortcut (.LNK) file known as График зарплат.lnk, which can be translated to Salary Schedule.lnk. The sample initially surfaced on Virus Total in the first half of May 2025.”
Singha explained that the attackers initially sent emails from a compromised business account belonging to an employee in the finance department of KazMunaiGas. Using the subject line ‘URGENT! Review the updated salary schedule. The messages were delivered to company staff to create a sense of urgency.
On closer inspection, the email was crafted to resemble an internal HR communication related to salaries, work schedules, and incentive policies. Employees were instructed to download and open an attachment that contained a file. Investigators determined that this file was actually a malicious shortcut (LNK) designed to execute and download additional payloads onto the victim’s system.
He added that the email further pressured recipients by instructing them to complete the steps by May 15, 2025, reinforcing the sense of urgency. Investigators then proceeded to analyze the decoy file attached to the message.
Looking into the decoy document, Singha said “we can see that it has an official logo of the targeted entity I.e., KazMunaiGas, along with instructions in both Russian and Kazakh language which instructs the employees through a series of simple steps which is to open the Downloads folder in the browser, extract a ZIP archive named KazMunayGaz_Viewer.zip, and run a file called KazMunayGaz_Viewer, although the file-name is irrelevant, but we believe, this is the exact file dropped from the malicious email.”
He added that the decoy also instructs users to wait for a console window to appear and specifically advises them not to close or interact with it, to limit suspicion on the targets’ end. “Last, not the least, it also mentions the IT-Support team in salutations to make it look completely legitimate, with above artefacts present in the decoy.”
Singha noted that ongoing tracking of Noisy Bear revealed numerous artefacts, including the languages present in the tooling, use of sanctioned web-hosting services, and other behavioral indicators. Based on these similarities to Russian threat entities that have previously targeted Central Asian nations, the threat actor is possibly of Russian origin.
APT groups, dubbed ‘Bear’ by cybersecurity researchers, have consistently targeted critical infrastructure sectors, especially the energy, transportation, and government entities. Cozy Bear (APT29), linked to Russia’s SVR, has conducted long-term cyber-espionage campaigns, including the SolarWinds supply chain compromise, to collect intelligence and potentially enable future operations. Fancy Bear (APT28), tied to Russia’s GRU, has targeted defense, military, and logistics organizations across Europe and NATO countries, often using sophisticated malware and phishing campaigns.
These groups have typically leveraged spear-phishing, compromised credentials, malware, and supply chain exploits to infiltrate systems, making them among the most persistent and capable threats to industrial and national infrastructure worldwide.
In conclusion, he wrote, “We have found that a threat entity, dubbed as NoisyBear, is targeting Kazakh Energy Sector using company-specific lure while heavily depending on PowerShell and open-source post-exploitation tools such as Metasploit, hosting them over a sanctioned web-hosting provider, we can also conclude that the threat actor has been active since the month of April 2025.”
In July, Zscaler reported that ransomware attacks on the oil and gas industry surged 935.3% year-over-year, likely fueled by a growing reliance on automation across rigs, pipelines, and infrastructure, inflating the attack surface and outdated security practices that leave critical systems exposed.
