Seqrite Labs details Noisy Bear APT group using malicious campaign against Kazakhstan energy sector
A new report from Seqrite Labs APT-Team detailed a previously unknown threat actor, dubbed Noisy Bear, since April this year. The group targeted entities in Central Asia, with a particular focus on Kazakhstan’s oil and gas sector. Investigators said the campaign targeted employees of the state-owned energy company KazMunaiGas, delivering malicious documents disguised as official IT department communications. The lures imitated internal messaging on policy updates, certification procedures, and salary adjustments to trick recipients into opening the files.
“Initially, we have been tracking this threat actor since April 2025, and we observed that this threat entity launched a campaign against KazMunaiGas employees in May 2025 using a spear-phishing-oriented method,” Subhajeet Singha, a security researcher at Seqrite, wrote in a blog post last week. “A compromised business email was used to deliver a malicious ZIP file, which contained a decoy along with a malicious initial infection-based shortcut (.LNK) file known as График зарплат.lnk, which can be translated to Salary Schedule.lnk. The sample initially surfaced on Virus Total in the first half of May 2025.”
Looking into the decoy document, Singha said “we can see that it has an official logo of the targeted entity I.e., KazMunaiGas, along with instructions in both Russian and Kazakh language which instructs the employees through a series of simple steps which is to open the Downloads folder in the browser, extract a ZIP archive named KazMunayGaz_Viewer.zip, and run a file called KazMunayGaz_Viewer, although the file-name is irrelevant, but we believe, this is the exact file dropped from the malicious email.”
He added that the decoy also instructs users to wait for a console window to appear and specifically advises them not to close or interact with it, to limit suspicion on the targets’ end. “Last, not the least, it also mentions the IT-Support team in salutations to make it look completely legitimate, with above artefacts present in the decoy.
To read the complete article see: Seqrite Labs details Noisy Bear APT group using malicious campaign against Kazakhstan energy sector .