The Russian state-sponsored hacking group known as
Turla
has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that’s engineered for stealth and persistent access to compromised hosts.
Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia’s Federal Security Service (FSB). It overlaps with activity traced by the broader cybersecurity community under the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH.
The hacking group is known for its attacks targeting government, diplomatic, and defense sectors in Europe and Central Asia, as well as
endpoints previously breached by Aqua Blizzard
(aka Actinium and Gamaredon) to support the Kremlin’s strategic objectives.
“This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection,” the Microsoft Threat Intelligence team
said
in a report published Thursday. “While many threat actors rely on increasing usage of native tools (living-off-the-land binaries (LOLBins)) to avoid detection, Kazuar’s progression into a modular bot highlights how Secret Blizzard is engineering resilience and stealth directly into their tooling.”
A key tool in Turla’s arsenal is
Kazuar
, a
sophisticated .NET backdoor
that has been consistently put to use since 2017. The latest findings from Microsoft charts its evolution from a “monolithic” framework into a modular bot ecosystem featuring three distinct component types, each with its own well-defined roles. These changes enable flexible configuration, reduce observable footprint, and facilitate broad tasking.
 |
| Overview of Kernel, Bridge, and Worker module interactions |
Attacks distributing the malware have been found to rely on droppers like Pelmeni and ShadowLoader to decrypt and launch the modules. The three module types that form the foundation for Kazuar’s architecture are listed below –
-
Kernel
, which acts as the central coordinator for the botnet by issuing tasks to Worker modules, manages communication with the Bridge module, maintains logs of actions and collected data, performs anti-analysis and sandbox checks, and sets up the environment by means of a configuration that specifies various parameters related to command-and-control (C2) communication, data exfiltration timing, task management, file scanning and collection, and monitoring. -
Bridge
, which acts as a proxy between the leader Kernel module and the C2 server. -
Worker
, which logs keystrokes, hooks Windows events, tracks tasks, and gathers system information, file listings, and Messaging Application Programming Interface (
MAPI
) details.
The Kernel module type exposes three…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
