The Reveal Platform
Intel Name: Operation barrelfire: noisybear targets entities linked to kazakhstan’s oil & gas sector
Date of Scan: September 8, 2025
Impact: High
Summary: A new cyber-espionage campaign dubbed Operation BarrelFire has been uncovered, attributed to a newly tracked threat group named Noisy Bear. Active since April 2025, Noisy Bear has primarily targeted entities in Kazakhstan’s Oil and Gas sector, including KazMunaiGas (KMG). The attack begins with a phishing email containing a ZIP file disguised as an internal KMG document. This archive includes a malicious LNK downloader and a decoy file. Upon execution, it downloads a malicious batch script, which triggers PowerShell-based loaders—named DOWNSHELL—that reflectively load a DLL implant. The campaign also involves a dedicated attacker-controlled infrastructure, indicating a well-organized, targeted cyber-espionage effort
