Dive into the shadowy world of cyber threats with Malik Haidar, a seasoned cybersecurity expert who has spent years safeguarding multinational corporations from sophisticated hackers and digital espionage. With a unique blend of analytics, intelligence, and business-focused security strategies, Malik offers unparalleled insights into the evolving landscape of cybercrime. In this interview, we explore the intricacies of recent campaigns targeting critical sectors, from phishing operations in Kazakhstan’s energy industry to broader threats against nations like Ukraine, Poland, and Russia. Our conversation delves into the tactics of threat actors, the technical mechanisms behind their attacks, and the broader implications for global cybersecurity.
Can you walk us through the details of the Noisy Bear campaign targeting Kazakhstan’s energy sector?
Certainly. The Noisy Bear campaign, also referred to as Operation BarrelFire, is a targeted phishing effort aimed at the energy sector in Kazakhstan, specifically employees of KazMunayGas, the state-owned oil and gas company. Active since at least April 2025, this operation uses deceptive tactics to trick employees into engaging with malicious content. The attackers crafted phishing emails that appeared to come from within the company, often mimicking internal communications from the IT or finance departments. These emails contained fake documents themed around policy updates, certifications, or salary adjustments to lure victims into opening attachments.
What specific techniques did the attackers use to make their phishing emails seem legitimate?
The attackers went to great lengths to build trust. They sent emails from compromised accounts, such as one belonging to a finance department employee at KazMunayGas, which instantly raised the credibility of the message. The content of the emails was tailored to look like official internal correspondence, using familiar language and themes that employees wouldn’t immediately question. This social engineering approach, combined with the use of convincing decoy documents, made it difficult for recipients to spot the scam.
Can you break down the technical aspects of how this attack unfolded once an employee engaged with the email?
Absolutely. The phishing emails contained a ZIP attachment, which included a Windows shortcut file, or LNK, a decoy document related to KazMunayGas, and a README.txt file with instructions in Russian and Kazakh to run a program called “KazMunayGaz_Viewer.” Once the LNK file is clicked, it acts as a downloader, dropping a malicious batch script. This script then paves the way for a PowerShell loader called DOWNSHELL, which ultimately deploys a DLL-based implant. This 64-bit binary can execute shellcode to establish a reverse shell, giving attackers remote access to the compromised system.
Who do you think might be behind the Noisy Bear group, and where are they likely operating from?
While attribution in cyber campaigns is always tricky, there are indicators suggesting a possible Russian origin for Noisy Bear. One key piece of evidence is their use of infrastructure hosted by a Russia-based bulletproof hosting provider called Aeza Group, which has been sanctioned by the U.S. for supporting malicious activities. Bulletproof hosting services like this are often used by threat actors to shield their operations from takedowns, and the choice of this provider, combined with the bilingual instructions in the attack, points to a connection with Russian-speaking regions.
How did KazMunayGas respond to the reports of this cyber threat?
Interestingly, KazMunayGas has downplayed the severity of the situation, stating that the activity described in the security report was actually part of a planned phishing test they conducted internally in May 2025. They clarified that the screenshots and details mentioned in the analysis were from this training exercise, not a real attack. This response suggests that what was initially perceived as a malicious campaign might have been a controlled simulation to test employee awareness and response to phishing attempts.
Shifting gears, can you tell us about the Ghostwriter campaign targeting Ukraine and Poland?
Of course. The Ghostwriter group, also tracked as FrostyNeighbor, has been active since at least April 2025, targeting entities in Ukraine and Poland with information-gathering and exploitation campaigns. They use rogue ZIP and RAR archives containing Excel spreadsheets with VBA macros that drop and load malicious DLLs. These DLLs collect data about the compromised system and fetch additional malware from a command-and-control server. In Poland, the attack chain has been adapted to use Slack as a beaconing and data exfiltration channel, while in Ukraine, the focus seems more on reconnaissance and deploying next-stage payloads like Cobalt Strike Beacon for deeper exploitation.
What can you tell us about the recent wave of cyber attacks targeting Russian companies?
There’s been a noticeable uptick in attacks on Russian organizations in 2025, with groups like OldGremlin focusing on extortion campaigns against large industrial enterprises. These attacks often start with phishing emails and employ techniques like bring-your-own-vulnerable-driver to disable security software. Additionally, new malware like Phantom Stealer, based on the open-source Stealerium, targets sensitive information using lures related to payments or adult content. There are also Android malware strains masquerading as antivirus tools linked to Russian federal agencies, designed to steal data from business representatives through extensive permissions and accessibility services.
What is your forecast for the future of cyber threats targeting critical sectors like energy and industry?
I anticipate that cyber threats targeting critical infrastructure, like energy and industrial sectors, will only grow in sophistication and frequency. As geopolitical tensions continue to simmer, we’ll likely see more state-aligned or state-sponsored actors leveraging advanced phishing, custom malware, and infrastructure like bulletproof hosting to conduct espionage or disruption. The blending of cybercrime and geopolitical motives means that organizations in these sectors must prioritize not just technical defenses, but also employee training and rapid response capabilities to mitigate risks. The landscape is evolving fast, and staying ahead will require constant vigilance and adaptation.
