NoisyBear Exploits ZIP Files for PowerShell Loaders and Data Exfiltration

The threat actor known as NoisyBear has launched a sophisticated cyber-espionage effort called Operation BarrelFire, using specially designed phishing lures that imitate internal correspondence to target Kazakhstan’s energy sector, particularly workers of the state oil and gas major KazMunaiGas.

Security researchers at Seqrite Labs first observed the campaign in April 2025 and noted its rapid escalation by May.

Spear-Phishing Lure Mimics HR Notices

NoisyBear’s initial attack vector relied on a compromised finance department email at KazMunaiGas.

On May 15, 2025, employees received messages with the urgent subject line “URGENT! Review the updated salary schedule.”

The email body instructed recipients—in both Russian and Kazakh—to download and extract a ZIP file named График.zip (“Schedule.zip”) and then open a shortcut file, График зарплат.lnk (“Salary Schedule.lnk”), purportedly linking to updated salary policies.

The message created urgency by imposing a compliance deadline and even referenced ...