Skip to content

Russian Hackers Develop Kazuar Backdoor into Modular P2P Botnet

In short: The modernized Kazuar botnet uses a three-module system that minimizes external communication and obfuscates internal network communication to increase detection hurdles.

Russian hacker group Secret Blizzard has evolved its long-deployed Kazuar backdoor into a modular peer-to-peer botnet designed for long-term persistence, stealth capabilities, and data exfiltration. The malware model follows a decentralized architecture in which only one machine per network segment communicates directly with the command server.

Secret Blizzard is considered close to the FSB and is associated with the groups Turla, Uroburos, and Venomous Bear. It targets government organizations, diplomatic facilities, defense agencies, and critical infrastructure in Europe, Asia, and Ukraine. Kazuar malware has been publicly documented since 2017, but its code history extends back to at least 2005. The Turla group, which operates on behalf of the FSB, is linked to Kazuar attacks. In 2020, deployments against European government networks were documented; in 2023, attacks on Ukrainian targets occurred.

Researchers from Microsoft analyzed a newer Kazuar variant that now operates via three separate modules: Kernel, Bridge, and Worker. The Kernel module acts as a central coordinator, manages tasks, controls the other modules, selects a leader, and directs communication and data exchange. The leader is typically a compromised host in the infected network; it communicates with the command-and-control server, receives commands, and distributes them to other compromised systems. Non-leader systems switch to “Silent” mode and do not communicate directly with the C2, which significantly improves stealth and reduces the detection footprint.

Leader election runs completely autonomously within the network and is based on factors such as uptime, restart frequency, and interrupt counters. The Bridge module acts as a proxy for external communication and forwards data traffic between the Kernel leader and the remote C2 infrastructure via protocols such as HTTP, WebSockets, or Exchange Web Services (EWS). Internal communication uses IPC mechanisms such as Windows Messaging, Mailslots, and Named Pipes, which blend seamlessly into typical system activity. Messages are encrypted with AES and serialized using Google Protocol Buffers (Protobuf).

The Worker module performs actual espionage tasks, including keystroke logging. By dividing into function-specific modules, not only is flexibility increased, but the risk is also minimized that a single module update compromises all infected systems – a classic botnet design problem.


Source: ainews-dev.lumi-systems.io · Published May 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.

Share on: