INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Kazuar Botnet Evolved into Modular P2P Tool

| 2026-05-16 14:15 CRITICAL HIGH
JSON
Executive Summary AI-generated
The Kazuar malware, linked to the Russian state-backed group Secret Blizzard, has evolved from a traditional backdoor into a sophisticated modular peer-to-peer botnet designed for stealth and persistent access. This highly adaptable tool enables long-term espionage operations across Europe and Central Asia, targeting government, diplomatic, and strategic organizations. Researchers warn defenders should focus on understanding Kazuar's behaviors to stay ahead of its capabilities, including leader election, inter-process communication, staged working directories, and periodic data exfiltration.
Technical Mitigations AI-generated
* Use of modular peer-to-peer (P2P) botnet architecture: Kazuar's modular design allows for seamless communication and task distribution between infected systems, making it more difficult to detect and disrupt. * Reduced visibility through one elected node: The use of a single elected leader node minimizes suspicious network activity by allowing only one node to communicate externally while other nodes exchange data internally. * Flexibility in task execution and fallback command-and-control channels: Kazuar's flexible module design enables the attackers to maintain access even when parts of their infrastructure are disrupted, making it harder for defenders to detect and disrupt the botnet. * Use of lightweight .NET loaders and droppers: The malware uses lightweight .NET loaders that execute Kazuar modules directly in memory to reduce detection, while also spreading through multiple delivery chains including droppers that decrypt payloads only on targeted systems.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
TurlaTurla SnakeSnakeUroburosUroburosKazuarKazuar
Target & Sectors
MIDDLE_EAST MIDDLE_EAST CENTRAL_ASIA CENTRAL_ASIA LATAM LATAM EUROPE EUROPE
Incident Timeline
‎May 15, 2026
The Russian state-sponsored hacking group Turla transformed its Kazuar backdoor into a modular peer-to-peer botnet.
source_region Russian Federation
 Ravie Lakshmanan  May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts.
tactic Botnet
 Ravie Lakshmanan  May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts.
malware Kazuar
 Ravie Lakshmanan  May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts.
threat_actor Turla
 Ravie Lakshmanan  May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts.
tactic T1584.005 - Botnet
 Ravie Lakshmanan  May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts.
‎2026/05/16
Kazuar, a sophisticated .NET backdoor developed by Russian hacker group Secret Blizzard, has been upgraded into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems.
threat_actor Turla
Secret Blizzard, whose activity overlaps that of Turla, Uroburos, and Venomous Bear, has been associated with the Russian intelligence service (FSB) and is known for targeting government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution.
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems.
Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems.
Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access.
Unlike many attackers that increasingly rely on legitimate system tools to evade detection, Turla has focused on building stealth and flexibility directly into Kazuar’s architecture.
" A key tool in Turla's arsenal is Kazuar , a sophisticated .NET backdoor that has been consistently put to use since 2017.
The  Turla  APT group (aka Secret Blizzard ,  Snake ,  Uroburos ,  Waterbug ,  Venomous Bear  and  KRYPTON )  has been active since  at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
Its activity has been linked to the Turla espionage group working for the FSB.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Turla)
Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB).
organisation APT
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems.
organisation Kernel
The Kernel module is the central coordinator that manages tasks, controls other modules, elects a leader, and orchestrates communications and data flow across the botnet.
The Kernel acts as the command center, coordinating operations, distributing work, and performing anti-analysis checks before the malware fully activates.
The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets).
infrastructure Windows
Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
The Worker module performs the actual espionage operations, such as: keylogging capturing screenshots harvesting data from the filesystem performing system and network reconnaissance collecting email/MAPI data (including Outlook downloads) monitoring windows stealing recent files The collected data is encrypted, staged locally, and later exfiltrated through the Bridge module.
The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets).
Worker , which logs keystrokes, hooks Windows events, tracks tasks, and gathers system information, file listings, and Messaging Application Programming Interface ( MAPI ) details.
" Another function of the module is to initiate various threads to set up a named pipe channel between Kernel modules for inter-Kernel communications, specify an external communication method, as well as facilitate Kernel-to-Worker and Kernel-to-Bridge communication over Windows messaging or Mailslot.
organisation IPC
Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
organisation Windows Messaging
Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets).
organisation Mailslots
Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
organisation Antimalware Scan Interface
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
organisation AMSI
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
organisation ETW
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
organisation Windows Lockdown Policy
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
organisation Microsoft
“Leading” Kazuar Microsoft researchers analyzed a recent variant of Kazuar and observed that the malware now operates using three distinct modules: kernel, bridge, and worker.
Microsoft researchers say the malware allows attackers to maintain long-term control while making detection and disruption more difficult.
The latest findings from Microsoft charts its evolution from a "monolithic" framework into a modular bot ecosystem featuring three distinct component types, each with its own well-defined roles.
organisation kernel, bridge
“Leading” Kazuar Microsoft researchers analyzed a recent variant of Kazuar and observed that the malware now operates using three distinct modules: kernel, bridge, and worker.
“ Microsoft researchers say the malware now uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent access inside compromised environments.
organisation USB
Kazuar can collect details about installed software, security products, network activity, USB devices, running processes, user accounts, browser activity, Outlook data, DNS cache, PowerShell versions, and even screenshots taken automatically or on demand.
organisation Outlook
Kazuar can collect details about installed software, security products, network activity, USB devices, running processes, user accounts, browser activity, Outlook data, DNS cache, PowerShell versions, and even screenshots taken automatically or on demand.
organisation DNS
Kazuar can collect details about installed software, security products, network activity, USB devices, running processes, user accounts, browser activity, Outlook data, DNS cache, PowerShell versions, and even screenshots taken automatically or on demand.
organisation FSB
Its activity has been linked to the Turla espionage group working for the FSB.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Turla)
organisation Venomous Bear
It overlaps with activity traced by the broader cybersecurity community under the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH.
organisation WebSockets
The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets).
The Bridge module acts as the external communications proxy that relays traffic between the elected Kernel leader and the remote C2 infrastructure using protocols like HTTP, WebSockets, or Exchange Web Services (EWS).
The malware supports multiple fallback communication methods, including HTTP, WebSockets, and Exchange Web Services, helping it survive infrastructure disruptions.
organisation Messaging Application Programming Interface
Worker , which logs keystrokes, hooks Windows events, tracks tasks, and gathers system information, file listings, and Messaging Application Programming Interface ( MAPI ) details.
organisation inter-Kernel
" Another function of the module is to initiate various threads to set up a named pipe channel between Kernel modules for inter-Kernel communications, specify an external communication method, as well as facilitate Kernel-to-Worker and Kernel-to-Bridge communication over Windows messaging or Mailslot.
organisation Worker
“ Microsoft researchers say the malware now uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent access inside compromised environments.
Overview of Kernel, Bridge, and Worker module interactions Attacks distributing the malware have been found to rely on droppers like Pelmeni and ShadowLoader to decrypt and launch the modules.
organisation EWS
The Bridge module acts as the external communications proxy that relays traffic between the elected Kernel leader and the remote C2 infrastructure using protocols like HTTP, WebSockets, or Exchange Web Services (EWS).
organisation AES
The messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf).
organisation Google Protocol Buffers
The messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf).
The malware uses structured message packets built with Google Protocol Buffers (Protobuf) to allow modules to exchange commands, task data, and operational information efficiently.
organisation ShadowLoader
Overview of Kernel, Bridge, and Worker module interactions Attacks distributing the malware have been found to rely on droppers like Pelmeni and ShadowLoader to decrypt and launch the modules.
organisation node
To reduce visibility, only one elected “leader” node communicates externally with the command-and-control infrastructure while other infected systems remain in silent mode and communicate internally through encrypted peer-to-peer channels.
organisation Mailslot
How the Kernel leader coordinates Worker tasking and uses the Bridge "Elections occur over Mailslot, and the leader is elected based on the amount of work (length of time the Kernel module has been running) divided by interrupts (reboots, logoffs, process terminated)," Microsoft explained.
organisation SILENT
"Once a leader is elected, it announces itself as the leader and tells all other Kernel modules to set SILENT.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
The Worker module performs the actual espionage operations, such as: keylogging capturing screenshots harvesting data from the filesystem performing system and network reconnaissance collecting email/MAPI data (including Outlook downloads) monitoring windows stealing recent files The collected data is encrypted, staged locally, and later exfiltrated through the Bridge module.
Kazuar's internal communications diagram Source: Microsoft Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise.
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
Worker , which logs keystrokes, hooks Windows events, tracks tasks, and gathers system information, file listings, and Messaging Application Programming Interface ( MAPI ) details.
The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets).
" Another function of the module is to initiate various threads to set up a named pipe channel between Kernel modules for inter-Kernel communications, specify an external communication method, as well as facilitate Kernel-to-Worker and Kernel-to-Bridge communication over Windows messaging or Mailslot.
Intelligence Sources
The Hacker News 2026-05-15
Security Affairs 2026-05-16
BleepingComputer 2026-05-16