Русские хакеры пытались атаковать казахстанскую газовую компанию КазМунайГаз:

> The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer."

> The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

> The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

> Further analysis of the threat actor's infrastructure has revealed that it's hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities

Полный технический анализ атаки:
https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/
(Вкратце на русском: фишинговая рассылка вредосного скрипта, запускаемого через ярлык в ZIP в файле. Рассылка была сделана с взломанного аккаунта высокопоставленной сотрудницы)