VYPR
researchPublished May 15, 2026· Updated May 25, 2026· 3 sources

Russian Intelligence Hackers Upgrade Kazuar Backdoor to Modular P2P Botnet

Russian state-sponsored threat actor Secret Blizzard has evolved its long-standing Kazuar backdoor into a modular P2P botnet, enhancing its ability to conduct stealthy, long-term espionage against government and defense targets.

The Russian state-sponsored hacking group known as Secret Blizzard—also tracked as Turla, Uroburos, and Venomous Bear—has significantly upgraded its long-running Kazuar backdoor into a sophisticated, modular peer-to-peer (P2P) botnet. This evolution marks a shift from a monolithic framework to a highly resilient architecture designed to maintain long-term persistence and stealth within compromised government, diplomatic, and defense networks BleepingComputer The Hacker News.

The updated Kazuar architecture relies on three distinct components: Kernel, Bridge, and Worker modules. The Kernel module serves as the central coordinator, managing task distribution and performing anti-analysis checks. Within an infected environment, the Kernel modules autonomously elect a single "leader" based on system uptime and interruption counts. This leader is the only node permitted to communicate externally, while all other infected systems remain in a "silent" mode, significantly reducing the botnet's network footprint and detection surface BleepingComputer The Hacker News.

The Bridge module functions as a proxy, facilitating communication between the elected leader and the remote command-and-control (C2) infrastructure. It supports multiple protocols, including HTTP, WebSockets, and Exchange Web Services (EWS). Meanwhile, the Worker module handles the primary espionage activities, such as keylogging, capturing screenshots, harvesting filesystem data, and extracting email information via MAPI. Internal communication between these modules is encrypted using AES and serialized with Google Protocol Buffers, utilizing Windows Messaging, Mailslots, and named pipes to blend in with legitimate system traffic BleepingComputer The Hacker News.

Kazuar’s versatility is bolstered by over 150 configuration options, allowing operators to fine-tune data exfiltration, task scheduling, and process injection. Notably, the malware includes advanced security bypass capabilities, specifically targeting the Antimalware Scan Interface (AMSI), Event Tracing for Windows (ETW), and Windows Lockdown Policy (WLDP). The malware is typically deployed using droppers such as Pelmeni and ShadowLoader BleepingComputer The Hacker News.

Secret Blizzard, which is assessed by CISA to be affiliated with Center 16 of Russia's Federal Security Service (FSB), has used Kazuar in various forms since 2017, with code lineage tracing back to 2005. The group has historically targeted entities across Europe, Asia, and Ukraine. Microsoft researchers emphasize that because of the malware's modular and highly configurable nature, organizations should prioritize behavioral detection over static signatures to identify the presence of this persistent threat BleepingComputer The Hacker News.

This development highlights a broader trend among state-sponsored actors who are increasingly engineering resilience and stealth directly into their custom tooling. By moving away from reliance on native "living-off-the-land" binaries, groups like Secret Blizzard are creating more complex, autonomous ecosystems that are harder to disrupt. Security teams should monitor for anomalous inter-process communication and unusual EWS or WebSocket traffic as potential indicators of Kazuar activity.

New analysis from PolySwarm, shared exclusively with Cyber Security News, reveals that Kazuar's modular architecture now comprises three distinct component types—Kernel, Bridge, and Worker—with a leadership election model that designates a single active Kernel across all infected systems to minimize outbound traffic. The malware supports roughly 150 configuration options and is delivered via the Pelmeni dropper, which can cryptographically bind the payload to the target's hostname, or through a lightweight .NET loader that executes entirely in memory. Researchers emphasize that detection requires monitoring behavioral patterns such as IPC coordination and encrypted exfiltration at irregular intervals, as single-signature tools are likely to miss the distributed threat.

Synthesized by Vypr AI
Russian Intelligence Hackers Upgrade Kazuar Backdoor to Modular P2P Botnet · VYPR