Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector

    Monday, September 8, 2025 In: Threat Research Print

    Date: 09/08/2025

    Severity: High

    Summary

    A new cyber-espionage campaign dubbed Operation BarrelFire has been uncovered, attributed to a newly tracked threat group named Noisy Bear. Active since April 2025, Noisy Bear has primarily targeted entities in Kazakhstan's Oil and Gas sector, including KazMunaiGas (KMG). The attack begins with a phishing email containing a ZIP file disguised as an internal KMG document. This archive includes a malicious LNK downloader and a decoy file. Upon execution, it downloads a malicious batch script, which triggers PowerShell-based loaders—named DOWNSHELL—that reflectively load a DLL implant. The campaign also involves a dedicated attacker-controlled infrastructure, indicating a well-organized, targeted cyber-espionage effort.

    Indicators of Compromise (IOC) List

    URL/Domain

    wellfitplan.ru

    IP Address

    178.159.94.8

    77.239.125.41

    Hash

    0ee3ed9a974ab3e3f93e0f605c7d4423

    2deda17efed81fcec84028610d3f5a7b

    42b1c5306dcb8045c03a5604256b9e87

    5677e3d34337e1927ed49dd344863f9f

    65d002a30d514d6f6b290360c44493c5

    680e3e35c898258a8188540329e2864f

    883002fa9c0274f64a06f64505c1e2af

    a770a67141a36b71cd075c56a575090e

    ba68ca69e36f127122590000bb41c9d5

    e2bab67d0bad6ef6bb3e09a72ff757e3

    fa3658a89c00e5325f2c02d37fdb6633

    0d84e73ae0d56bbb735b2b78ef6dff62a8ca0637

    2e551f6d27d55cc4a7fb99f29e2424b4a5f38b97

    3da1cb52cc213d307739efea27894f6676fe5165

    4281dbfe357a14cb2546ff5089f27f2936a5f32f

    435f339cb0bb6f16551226adaa3c31a2c138e7cd

    4a9f9ab577456af29c87613376f458dbf1d9b8b6

    4e591a63961e8328ddfe412c33b72ee6fd0b2547

    94bec829413832bbb2d00ca5d8b60ec8ac4d875f

    d46c7a81fe3ab37f993abc9b5077e3be5b09a6fb

    db4eaf0d77962e846daf83af0fc2cb8384fdc97e

    df35cb225b3b7f5e1bce3ef571fa5881a431887a

    021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6

    1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d

    1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0

    26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee

    5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386

    6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b

    a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c

    d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97

    da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf

    f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26

    fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "wellfitplan.ru" or siteurl like "wellfitplan.ru" or url like "wellfitplan.ru"

    Detection Query 2 :

    dstipaddress IN ("178.159.94.8","77.239.125.41") or srcipaddress IN ("178.159.94.8","77.239.125.41")

    Detection Query 3 :

    md5hash IN ("0ee3ed9a974ab3e3f93e0f605c7d4423","2deda17efed81fcec84028610d3f5a7b","5677e3d34337e1927ed49dd344863f9f","e2bab67d0bad6ef6bb3e09a72ff757e3","65d002a30d514d6f6b290360c44493c5","680e3e35c898258a8188540329e2864f","ba68ca69e36f127122590000bb41c9d5","883002fa9c0274f64a06f64505c1e2af","42b1c5306dcb8045c03a5604256b9e87","a770a67141a36b71cd075c56a575090e","fa3658a89c00e5325f2c02d37fdb6633")

    Detection Query 4 :

    hash IN ("0d84e73ae0d56bbb735b2b78ef6dff62a8ca0637","db4eaf0d77962e846daf83af0fc2cb8384fdc97e","4e591a63961e8328ddfe412c33b72ee6fd0b2547","435f339cb0bb6f16551226adaa3c31a2c138e7cd","4a9f9ab577456af29c87613376f458dbf1d9b8b6","df35cb225b3b7f5e1bce3ef571fa5881a431887a","4281dbfe357a14cb2546ff5089f27f2936a5f32f","2e551f6d27d55cc4a7fb99f29e2424b4a5f38b97","3da1cb52cc213d307739efea27894f6676fe5165","94bec829413832bbb2d00ca5d8b60ec8ac4d875f","d46c7a81fe3ab37f993abc9b5077e3be5b09a6fb")

    Detection Query 5 :

    sha256hash IN ("1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d","26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee","a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c","021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6","f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26","5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386","fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8","1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0","6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b","d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97","da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf")

    Reference:    

    https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/                             


    Tags

    Threat ActorCyber EspionageNoisy BearKazakhstanEnergyPhishingOperation BarrelFire

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.