Bright Nexus

Published on May 16, 2026

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access

Severity

Medium

Detail

The Russia-linked threat group Turla has significantly upgraded its long-running Kazuar malware, transforming it from a traditional backdoor into a stealthy modular peer-to-peer (P2P) botnet designed for long-term espionage and persistence.

Also tracked under names such as Secret Blizzard, Snake, and Venomous Bear, the group is associated with Russia’s Federal Security Service (FSB) and is known for targeting government, diplomatic, and defense organizations across Europe and Central Asia. According to Microsoft Threat Intelligence, the latest evolution of Kazuar focuses heavily on resilience, stealth, and flexible operations to support intelligence-gathering campaigns.

How?

Unlike earlier versions that operated as a single framework, the updated Kazuar now uses a modular architecture made up of three main components: Kernel, Bridge, and Worker modules. The malware is delivered through loaders such as Pelmeni and ShadowLoader, which decrypt and launch the malicious components on compromised systems.

The Kernel module acts as the botnet’s main controller. It manages communications, assigns tasks, performs anti-analysis checks, and coordinates data collection. It can communicate internally using Windows messaging, named pipes, and mailslots, while external communications with attacker infrastructure can occur through HTTP, WebSockets, or Exchange Web Services.

A unique feature of the malware is its “leader election” mechanism. Multiple Kernel modules can exist on a system, but only one becomes the active leader responsible for communicating with the command-and-control (C2) server. This helps reduce suspicious activity and improves stealth by limiting external communications to a single active component.

The Worker modules handle surveillance and data collection tasks such as:

  • Logging keystrokes
  • Gathering system and file information
  • Monitoring Windows events
  • Collecting MAPI and messaging-related details

Meanwhile, the Bridge module acts as an intermediary between the Kernel and the external C2 infrastructure, helping obscure direct communications. Collected data is stored in a dedicated working directory, encrypted, and later exfiltrated to attacker-controlled servers.

Conclusion

The latest version of Kazuar highlights how advanced state-sponsored threat groups are moving toward modular and highly resilient malware frameworks that are harder to detect and disrupt. By separating functions across multiple components and minimizing direct communications, Turla has created a more stealthy and persistent espionage platform capable of operating for long periods inside compromised networks.

Researchers warn that the malware’s flexible architecture, anti-analysis capabilities, and covert communication methods make it a serious threat to government, diplomatic, and defense sectors. The campaign also reflects a broader trend where sophisticated attackers increasingly engineer stealth and persistence directly into their malware instead of relying solely on legitimate system tools.

Source

https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html