- The Russian state-sponsored group Turla (aka Secret Blizzard) has evolved its Kazuar malware into a modular, peer-to-peer botnet.
- This new architecture features three specialized modules—Kernel, Bridge, and Worker—for coordinated, stealthy intelligence collection.
- The botnet is designed for long-term persistence and targets government, diplomatic, and defense sectors in Europe and Central Asia.
- Kazuar uses sophisticated communication methods and a centralized on-disk staging area to minimize direct contact with command servers.
In a significant escalation of cyber espionage capabilities, the Russian hacking group Turla has transformed its custom backdoor into a sophisticated peer-to-peer botnet, according to a report published by the Microsoft Threat Intelligence team. The group, affiliated with Russia’s FSB, continues to target government and defense sectors across Europe and Central Asia to support Kremlin objectives.
Microsoft’s analysis shows Kazuar’s evolution from a monolithic tool into a modular ecosystem engineered for resilience. This upgrade aligns with the group’s broader objective of gaining long-term access for intelligence collection.
Consequently, the new botnet architecture is built around three distinct component types. These include the Kernel module, which acts as the central coordinator and leader.
The Bridge module functions as a proxy between the leader and the command-and-control server. Meanwhile, the Worker module is responsible for logging keystrokes and gathering sensitive system information.
Attacks distributing this malware typically rely on droppers like Pelmeni and ShadowLoader. These tools decrypt and launch the modular components onto compromised systems.
The Kernel module uses an election process to designate a single leader for communication. “Once a leader is elected, it announces itself as the leader and tells all other Kernel modules to set SILENT,” Microsoft explained.
Data collected by the Worker is aggregated, encrypted, and staged in a dedicated working directory. From there, it is exfiltrated to the command servers controlled by the attackers.
Microsoft noted that “Kazuar uses a dedicated working directory as a centralized on-disk staging area to support its internal operations.” This design allows the malware to maintain operational state across system restarts.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
