en.Wedoany.com Reported - Microsoft's Threat Intelligence team released an in-depth analysis report on May 15, revealing that the Russian state-sponsored hacking group Turla has completely rebuilt its signature .NET backdoor, Kazuar, into a highly modular peer-to-peer botnet. According to a previous assessment by the U.S. Cybersecurity and Infrastructure Security Agency, Turla is affiliated with Center 16 of Russia's Federal Security Service (FSB). Its activities are continuously tracked by the cybersecurity community under multiple designations, including Secret Blizzard (formerly Krypton), ATG26, Waterbug, and Uroburos. This architectural upgrade marks the group's shift from a traditional model relying on a single backdoor communication channel to building a layered covert network featuring internal division of labor, redundant channels, and anti-analysis capabilities.

The Microsoft report indicates that Kazuar has continuously evolved over the past decade, and the latest version has completely abandoned the monolithic architecture used for years, adopting a P2P network with three collaborating modules—Kernel, Bridge, and Worker—each performing distinct roles. The Kernel module is the system's core decision-making unit, responsible for issuing tasks to Workers, managing logs, performing anti-sandbox and anti-analysis checks, and setting parameters such as C2 communication protocols, data exfiltration timing, and file scanning scope via configuration files. This module uses three mechanisms for internal networking communication: Windows Messaging, Mailslots, and Named Pipes, and establishes connections with external C2 servers through three methods: Exchange Web Services, HTTP, and WebSockets.

Within the overall architecture, the Kernel also undertakes a key function—an election mechanism. The Microsoft report describes that all Kernel instances automatically elect a "Leader" based on runtime and performance metrics. Only this Leader has the authority to communicate directly with the Bridge module, while the remaining Kernels stay silent. This design significantly reduces the anomalous traffic generated by the botnet within the infected network, making it harder for traditional traffic-pattern-based detection methods to locate the entire network. The Bridge module acts as a proxy layer, responsible for relaying all communications between the Leader Kernel and the C2 server, ensuring that other internal nodes are never exposed to the external network, further isolating the traceability path. The Worker module handles specific endpoint operational tasks, including keylogging, Windows event hooking, system information gathering, MAPI email client data extraction, and file directory enumeration, while also acting as a tentacle to aggregate stolen information into a designated working directory. All modules are deployed and loaded into memory by a common downloader; a complete botnet requires all three components to be deployed on the same host to form a minimum functional unit.

Data theft and persistence mechanisms are also core highlights of this upgrade. The Microsoft report discloses that various types of data collected by the Worker module from endpoints are encrypted and stored in a designated disk staging area, which serves as a unified data buffer pool retained by Kazuar on the infected host. In actual operation, only the elected Leader Kernel has permission to extract data from the staging area and orchestrate exfiltration plans, while other nodes only perform collection without sending data out, thus highly concentrating anomalous traffic at a single egress point. Kazuar also features a configurable exfiltration cycle mechanism, allowing data to be sent in batches according to preset time windows rather than in real-time. Microsoft describes this as a scheduling logic of "trading time for security," completely decoupling data collection and exfiltration in the task cycle. Attackers can flexibly adjust the data sending rhythm based on the defense posture of the target environment, significantly reducing the probability of detection by behavioral analysis and anomalous traffic monitoring. The staging area also serves a task breakpoint recovery function; even if the system restarts or is disconnected for an extended period, task records and already collected data can be recovered and execution can continue.

The delivery of attack payloads also demonstrates a multi-layered concealment strategy. Early Kazuar variants relied on custom binary payload delivery, whereas the current attack chain has evolved to use a combination of three mechanisms: VBScript scripts, system-level loaders, and COM component hijacking. The Kazuar v3 loader disclosed by Microsoft specifically performs patchless bypasses against Windows Event Tracing and Anti-Malware Scan Interfaces, and the attack chain embeds malicious logic into trusted processes for execution by hijacking the COM subsystem, without making substantial modifications to system files throughout the process. In terms of delivery paths, Turla has repeatedly leveraged the initial intrusion achievements of another Russian APT group, Gamaredon, for secondary access. After Gamaredon obtains an initial entry point through high-noise, wide-ranging attack methods, Turla precisely screens high-value targets among them and deploys Kazuar, forming an engineered attack collaboration chain of "large-scale contamination—precise harvesting" between the two teams.

Turla's attack activities can be traced back to at least 2008, and Kazuar, since its first appearance in 2017, has been the group's core tool in medium-to-long-term penetration missions. The Microsoft report explicitly states that Turla's primary attack targets are concentrated in the government, diplomatic, and defense sectors of Europe, Central Asia, and Ukraine, with its operations serving the strategic intelligence collection mission of Russia's FSB. Notably, previous joint public statements by the UK's National Cyber Security Centre and the U.S. National Security Agency also confirmed that Turla had infiltrated the infrastructure of the Iranian APT34 group, using its C2 system to conduct "hijack-style" penetration against Iranian attack targets. This operation is extremely rare in the APT domain, using a third party's spy tools as a springboard to shift attribution clues to another nation's threat actor, reflecting Turla's exceptional maturity in operational security design and geopolitical cover.

A security advisory released by Symantec on the same day incorporated Kazuar's signature rules into the detection capabilities of its entire product line, forming multi-layered interception through a hybrid model of machine learning behavioral analysis, reputation scanning, and traditional signatures. An operational security recommendation published by IBM X-Force advises defenders to look beyond single-sample detection perspectives and instead focus on behavioral anomalies such as election communications, internal message routing, and periodic data staging, checking the network for internal networking message traffic between Kernels. Microsoft also published the hashes for the Kazuar loader and its three modules for security teams to perform IoC matching. The Microsoft report concludes by pointing out that Kazuar's modular P2P transformation is not an isolated technical iteration but a concentrated demonstration of Turla's engineered concealment capabilities—the group no longer relies on passive concealment methods akin to "living off the land," but directly embeds resilience, redundancy, and long-term persistence capabilities into the foundational architecture of its attack tools.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com