RUSSIAN-LINKED APT group Turla has upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and long-term access to compromised systems, according to Microsoft researchers. The Kazuar botnet now features Kernel, Bridge, and Worker modules to distribute tasks, maintain persistence, and enable covert data collection, with a design that reduces external footprint by routing most traffic through a single elected leader node.
The Bridge module acts as the communication gateway, allowing only one leader to talk externally while other infected hosts exchange data internally via encrypted P2P channels and multiple fallback methods such as HTTP, WebSockets, and Exchange Web Services.
The malware supports extensive configuration options for C2 communications, process injection, data exfiltration, and surveillance, and can be updated remotely to adapt to defender efforts; researchers note the architecture gives Secret Blizzard long-term access with resilience against disruptions. Turla, also known as Secret Blizzard among other names, has been active since at least 2004, targeting government, diplomatic, and defence sectors across Europe and Central Asia, with the U.S. CISA identifying the group as Russia-nexus and affiliated with Center 16 of Russia’s FSB.