Key Point: The Russian hacker group Turla has transformed its Kazuar backdoor into a modular P2P botnet. The new development enables long-term, covert cyber operations against Western governments and defense facilities.
The Russian state-backed hacker group Turla has rebuilt its custom Kazuar backdoor into a modular peer-to-peer botnet. The new development gives the cybercriminal collective stealth and long-term access to compromised systems.
Turla is attributed by the US agency CISA to Center 16 of the Russian intelligence service FSB. The hackers are known under numerous aliases, including ATG26, Blue Python, Iron Hunter, Secret Blizzard, and Waterbug. The group conducts targeted attacks against government, diplomatic, and defense facilities in Europe and Central Asia.
Kazuar is an advanced .NET backdoor that has been in use since 2017. Microsoft security researchers have now documented its transformation from a monolithic framework to a modular bot ecosystem. The system consists of three different component types with clearly defined roles. These modifications enable flexible configuration, reduce visible traces, and support diverse task assignment.
The Microsoft Threat Intelligence Team describes the new development as deliberately building resilience and stealth directly into the malware. Programs such as Pelmeni and ShadowLoader are deployed as droppers to decrypt and execute the modules.