The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection.
Secret Blizzard, whose activity overlaps that of Turla, Uroburos, and Venomous Bear, has been associated with the Russian intelligence service (FSB) and is known for targeting government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
The Kazuar malware has been documented since 2017, and researchers found that its code lineage goes as far back as 2005. Its activity has been linked to the Turla espionage group working for the FSB.
In 2020, researchers exposed its deployment in attacks targeting European government organizations. Three years later, it was seen deployed in attacks against Ukraine.
“Leading” Kazuar
Microsoft researchers analyzed a recent variant of Kazuar and observed that the malware now operates using three distinct modules: kernel, bridge, and worker.
The Kernel module is the central coordinator that manages tasks, controls other modules, elects a leader, and orchestrates communications and data flow across the botnet.
The leader is essentially one infected system within a compromised environment or network segment, which communicates with the command-and-control (C2) server, receives tasks, and forwards them internally to the other infected systems.
Non-leader systems enter “silent” mode and don’t communicate directly with the C2. This results in better stealth and reduced detection surface.
“The Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts,” explains Microsoft.
The process for selecting the leader is internal and autonomous, using uptime, reboot, and interruption counts.
The Bridge module acts as the external communications proxy that relays traffic between the elected Kernel leader and the remote C2 infrastructure using protocols like HTTP, WebSockets, or Exchange Web Services (EWS).
Source: Microsoft
Internal communications rely on IPC (inter-process communication), including Windows Messaging, Mailslots, and named pipes, blending well with normal operational noise. The messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf).
The Worker module performs the actual espionage operations, such as:
- keylogging
- capturing screenshots
- harvesting data from the filesystem
- performing system and network reconnaissance
- collecting email/MAPI data (including Outlook downloads)
- monitoring windows
- stealing recent files
The collected data is encrypted, staged locally, and later exfiltrated through the Bridge module.
Source: Microsoft
Microsoft underlines Kazuar’s versatility, which now supports 150 configuration options allowing operators to enable/disable specific security bypasses, perform task scheduling, time the data theft and size of exfiltration chunks, perform process injection, manage tasks and command execution, and more.
Regarding the security bypass options, Kazuar now offers Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
Secret Blizzard typically seeks long-term persistence on target systems for intelligence collections. The actor exfiltrates documents and email content that has political importance.
Microsoft recommends that companies focus their defense on behavioral detection rather than static signatures, as Kazuar’s modular and highly configurable nature makes the threat particularly evasive.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
