TURLA has transformed its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and long-term access to compromised hosts, according to Microsoft Threat Intelligence. The group, which is assessed by CISA to be affiliated with Center 16 of Russia’s FSB, overlaps with multiple threat actor names including Secret Blizzard and Aqua Blizzard.
Microsoft notes that Kazuar has evolved from a monolithic framework into a three-part modular ecosystem—Kernel, Bridge, and Worker—with three module types that enable flexible configuration, reduced footprint, and broader tasking. Attacks distributing the malware have used droppers such as Pelmeni and ShadowLoader to decrypt and launch modules, and the Kernel coordinates Worker tasking, maintains communication with the Bridge, logs actions, and manages C2-related settings.
Elections for a Kernel leader occur over Mailslot, with the leader chosen by a ratio of runtime to interrupts, after which it remains non-silent to log activity and request tasks. Data gathered by Worker modules is aggregated, encrypted, stored in a defined working directory, and exfiltrated to the C2 server.