The Russian hacker group Secret Blizzard has evolved its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet built for sustained persistence, stealth, and data exfiltration. Secret Blizzard, whose operations overlap with those of Turla, Uroburos, and Venomous Bear, is linked to the Russian FSB and is known for targeting government, diplomatic, and defense organizations, as well as critical infrastructure across Europe, Asia, and Ukraine. The Kazuar malware has been publicly documented since 2017, though its code lineage dates back to at least 2005. Its operations have been connected to the Turla espionage group, which works on behalf of the FSB. In 2020, researchers revealed that it was used in attacks against European government entities. Three years later, it was observed being used in attacks on Ukraine. „Leading“ Kazuar. Microsoft researchers examined a newer variant of Kazuar and found that the malware now functions through three separate modules: kernel, bridge, and worker. The kernel module serves as the main coordinator, handling task management, controlling the other modules, selecting a leader, and directing communications and data exchange throughout the botnet. The leader is typically one compromised machine within an infected environment or network segment; it interacts with the command-and-control (C2) server, receives instructions, and distributes them to other infected systems inside the network. Systems that are not the leader switch to “silent” mode and do not communicate directly with the C2. This leads to improved stealth and a smaller detection footprint. „The Kernel leader is the elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules. This reduces visibility by preventing large amounts of external traffic from multiple infected hosts,“ Microsoft explains. The leader selection process is fully internal and autonomous, relying on factors such as uptime, reboot counts, and interruption counts. The Bridge module serves as the external communications proxy, relaying traffic between the elected Kernel leader and the remote C2 infrastructure via protocols like HTTP, WebSockets, or Exchange Web Services (EWS). Microsoft. Internal communications make use of IPC mechanisms such as Windows Messaging, Mailslots, and named pipes, which blend seamlessly with typical system activity. The messages are encrypted with AES and serialized using Google Protocol Buffers (Protobuf). The Worker module carries out the core espionage tasks, including keylogging.
BleepingComputer