image-3 png
(127.06 KB, 861x675)

image-7-768x570 png
(158.17 KB, 768x570)

image-8 png
(76.28 KB, 950x349)

image-9-768x343 png
(107.86 KB, 768x343)

image-11-768x207 png
(44.22 KB, 768x207)

Русские хакеры пытались атаковать казахстанскую газовую компанию КазМунайГаз:

>  The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer."

>  The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

>  The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

>  Further analysis of the threat actor's infrastructure has revealed that it's hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities

Полный технический анализ атаки: 
https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/
(Вкратце на русском: фишинговая рассылка вредосного скрипта, запускаемого через ярлык в ZIP в файле. Рассылка была сделана с взломанного аккаунта высокопоставленной сотрудницы)