Russian state-linked cyber-espionage group, tracked as Secret Blizzard, Turla, Uroburos, and Venomous Bear, has upgraded its Kazuar malware, transforming the backdoor into a modular peer-to-peer (P2P) botnet designed for stealth, persistence, and intelligence collection.
The threat actor has been linked to Russia’s Federal Security Service (FSB). The group has historically targeted government agencies, diplomatic missions, defense organizations, and critical infrastructure across Europe, Asia, and Ukraine. First documented in 2017, Kazuar reportedly dates back to 2005. The malware has previously been used in espionage campaigns against European government institutions and later in cyberattacks targeting Ukraine.
According to recent analysis by Microsoft researchers, the latest Kazuar variant now consists of three interconnected modules: Kernel, Bridge, and Worker. The Kernel module serves as the botnet’s command coordinator, managing tasks, controlling other modules, and directing communications throughout the network. Only the elected “leader” system communicates externally with command-and-control (C&C) infrastructure, while other infected devices remain in a silent state, reducing the malware’s detection footprint.
The Bridge module acts as a communications proxy, relaying encrypted traffic between the leader node and remote C&C servers using HTTP, WebSockets, and Exchange Web Services (EWS). Kazuar uses Windows-native inter-process communication methods such as named pipes, Mailslots, and Windows Messaging to blend into normal system activity.
Researchers also noted that the malware now supports roughly 150 configuration options, enabling operators to customize security bypasses, task scheduling, data exfiltration timing, process injection, and command execution. The malware includes bypass techniques for the Antimalware Scan Interface (AMSI), Event Tracing for Windows (ETW), and Windows Lockdown Policy (WLDP).