The Russian state-backed hacking collective Turla has evolved its custom Kazuar backdoor into a modular, peer-to-peer (P2P) botnet specifically designed for stealth and long-term access to compromised systems. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Turla is linked to Center 16 of Russia’s Federal Security Service (FSB). It overlaps with operations tracked by the wider cybersecurity community under the aliases ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (previously Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH. The group is recognized for conducting intrusions against government, diplomatic, and defense entities across Europe and Central Asia, as well as targeting systems previously compromised by Aqua Blizzard (also known as Actinium and Gamaredon) to advance Kremlin strategic goals. “This upgrade supports Secret Blizzard’s overarching aim of establishing persistent access for long-term intelligence gathering,” the Microsoft Threat Intelligence team stated in a report released Thursday. While many threat actors depend on greater use of native tools (living-off-the-land binaries, or LOLBins) to evade detection, Kazuar’s evolution into a modular bot demonstrates how Secret Blizzard is building resilience and stealth directly into its malware. A prominent weapon in Turla’s toolkit is Kazuar, an advanced . A .NET backdoor that has been actively used since 2017. Microsoft’s recent research details its transformation from a „monolithic“ framework into a modular bot ecosystem composed of three distinct component types, each serving clearly defined roles. These modifications support adaptable setup, minimize visible traces, and enable versatile task assignment. Overview of how the Kernel, Bridge, and Worker modules interact. Malware attacks have been observed using droppers such as Pelmeni and ShadowLoader to decrypt and execute their modules.
The Hacker News