Russian hackers turn Kazuar backdoor into modular P2P botnet Home News Security Russian hackers turn Kazuar backdoor into modular P2P botnet Bill Toulas May 16, 2026 10:15 AM The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. Secret Blizzard, whose activity overlaps that of Turla, Uroburos, and Venomous Bear, has been associated with the Russian intelligence service (FSB) and is known for targeting government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
The Kazuar malware has been documented since 2017 , and researchers found that its code lineage goes as far back as 2005. Its activity has been linked to the Turla espionage group working for the FSB. In 2020, researchers exposed its deployment in attacks targeting European government organizations . Three years later, it was seen deployed in attacks against Ukraine . “Leading” Kazuar Microsoft researchers analyzed a recent variant of Kazuar and observed that the malware now operates using three distinct modules: kernel, bridge, and worker.
The Kernel module is the central coordinator that manages tasks, controls other modules, elects a leader, and orchestrates communications and data flow across the botnet. The leader is essentially one infected system within a compromised environment or network segment, which communicates with the command-and-control (C2) server, receives tasks, and forwards them internally to the other infected systems.
Non-leader systems enter “silent” mode and don’t communicate directly with the C2. This results in better stealth and reduced detection surface. “The Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts,” explains Microsoft . The process for selecting the leader is internal and autonomous, using uptime, reboot, and interruption counts.
The Bridge module acts as the external communications proxy that relays traffic between the elected Kernel leader and the remote C2 infrastructure using protocols like HTTP, WebSockets, or Exchange Web Services (EWS). Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
The messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf). The Worker module performs the actual espionage operations, such as: keylogging capturing screenshots harvesting data from the filesystem performing system and network reconnaissance collecting email/MAPI data (including Outlook downloads) monitoring windows stealing recent files The collected data is encrypted, staged locally, and later exfiltrated through the Bridge module.
Types of system info Kazuar collects Source: Microsoft Microsoft underlines Kazuar's versatility, which now supports 150 configuration options allowing operators to enable/disable specific security bypasses, perform task scheduling, time the data theft and size of exfiltration chunks, perform process injection, manage tasks and command execution, and more. Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
Secret Blizzard typically seeks long-term persistence on target systems for intelligence collections. The actor exfiltrates documents and email content that has political importance. Microsoft recommends that companies focus their defense on behavioral detection rather than static signatures, as Kazuar’s modular and highly configurable nature makes the threat particularly evasive. The Validation Gap: Automated Pentesting Answers One Question.
You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now New GopherWhisper APT group abuses Outlook, Slack, Discord for comms MuddyWater hackers use Chaos ransomware as a decoy in attacks New GoGra malware for Linux uses Microsoft Graph API for comms The Gentlemen ransomware now uses SystemBC for bot-powered attacks Manager of botnet used in ransomware attacks gets 2 years in prison Botnet Cyberespionage KAZUAR Malware Russia Secret Blizzard Turla Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts Are stolen sessions bypassing your security?
Find out for free. 12 steps to defend against AI-powered exploits before the Glasswing report drops Overdue a password health-check? Audit your Active Directory for free https://www.nmftacyber.com/ Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT