Possibly a danger an actor of Russian origin has been held responsible for a new set of targeting energy sector in Kazakhstan.
Activity, the operating barfier is codained, tied to a new threat group, which is tracked by Sekrite Labs. The actor has been active at least from April 2025.
“The campaign has been targeted to Kazmunigus or KMG employees, where the danger unit gave a fake document related to the KMG IT department, mimicking official internal communication and took advantage of topics such as policy updates, internal certification processes and pay adjustment,” said security researcher Subhjit Singa.
The transition chain begins with a phishing email consisting of a zip attachment, including a Windows shortcut (LNK) downloader, a decoy document related to Kazmunigus, and a readme.txt file, including a “kazmunyGaz_Vieweer” with the instructions written in both Russian and Kazakh.
According to the cyber security company, an agreement of a person working in the Email, Kazmunigas finance department was sent from an email address and in May 2025 other employees of the firm were targeted.
The LNK file payload is designed to release the extra payload, including a malicious batch script that paves the way for a powerrashel loader. The attacks end with the deployment of a DLL-based implants, a 64-bit binary that can run a shellcode to launch a reverse shell.
Further analysis of the infrastructure of the actor’s infrastructure has shown that it has been hosted on the Bulletproof Hosting (BPH) service provider Aija Group in Russia, which was approved by the US in July 2025 to enable malicious activities.
This development comes in the form of an all -fanglab, known as a Belarce-based actor, known as a Ghosteriter (aka Frostneghor or UNC1151), which is with evil zip and RAR archives for the campaign that targets Ukraine and Poland since April 2025, aimed at gathering information about compromise systems and to search for further information about compromise systems. Is from
The French Cybercity Company said, “These archives have an XLS spreadsheet with a VBA macro that drops and loads a DLL.” “The latter is responsible for collecting information about the agreement system and recovering the next-step malware from the command-end-control (C2) server.”
After the recurrence of the campaign, the Microsoft Cabinet (CAB) file has been found to remove and run DLL from the archive with LNK shortcuts to write and run DLL. The DLL then proceeds to operate the initial reconnaissance before leaving the next stage malware from the outer server.
On the other hand, ticketed to use slacks as a beaching mechanism and data exflaction channel, target, download a second -stage payload that establishes contact with domain pastes[.]ICU.
In at least one example, DLL dropped through the macro-lesed excel spreadsheet is used to load cobalt strike beacons to facilitate further exploitation activity.
“These slight changes suggest that in a possible attempt to work to detect the UAC-0057, the option may be discovered, but prioritizes the continuity or development of its operations on secret and sophistication,” Harfanglab said.
Reported cyber attack against Russia
In the first half of 2025, when the conclusions of Oldgramplin were concluded on Russian companies in the first half, the eight major domestic industrial enterprises were targeted using fishing email operations.
According to Kasperki, infiltration, incapacitizing safety solutions on the victims, incorporates the use of their own weak driver (byvd) technology and valid node.JS interpreters to execute malicious scripts.
The targeted fishing attacks in Russia have also stolen a new information, called Phantom Steel, which is based on an open-source steeler codenamed steelrium to collect a wide range of sensitive information using adult materials and email bats related to payment. It also shares overlap with another steelrium offshoot which is known as a Warp Staller.
According to the F6, the Phantom Stealer has also inherited the “pornadeter” module of the steelrium that captures the webcam screenshot when users visit the active browser window and visit pornographic websites by monitoring the active browser window and whether the title includes a configuble list of conditions like porn and sex, other.
“It is probably used for ‘sexy’ later,” the proofpoint said in its analysis of malware. “While this feature is not a novel between cybercrime malware, it is often not seen.”
In recent months, the Russian organizations are also to disburse additional payloads using malaware families such as Cloud Atlas, Phantomore, and Scaly Wolf to harvest sensitive information at the end of the attacks made by groups tracked by groups tracked and vbshower, fantomrats and fantomrashels.
Another cluster of activity includes a new Android malware that exhibits representatives of Russian businesses as an antivirus device to sing representatives of Russian businesses as an antivirus tool created by Russia’s Federal Security Service Agency (FSB). Apps take names such as security_FSB, ф Sod (Russian for FSB), and Gardebi, the last of which is an attempt to pass as the central bank of the Russian Federation.
First in January 2025, the malware exfers the data from the messenger and browser apps, streams with the camera of the phone, and SMS messages the keystrokes by demanding comprehensive permissions to reach the camera, location, audio, camera. It also requests to run in background, device administrator rights and access services.
“The interface of the app only offers a language – Russian,” the doctor web said. “Thus, the malware focuses perfectly on Russian users. Backdore also uses accessibility services to protect itself from removal if it receives commands related to the danger actors.”
