Turla has just created something even more dangerous than a backdoor: a self-operating espionage botnet.
Overview of the campaign
For many years, APT (Advanced Persistent Threat) campaigns often relied on a familiar model: a covert malware connecting to a command and control (C2) server to receive instructions and steal data. But Kazuar, the latest espionage tool believed to be from the Russian group Turla, is completely breaking that model. According to new analyses from Microsoft and various international security firms, Kazuar is no longer just a traditional backdoor or RAT. It has evolved into a modular P2P botnet capable of self-organization, self-sustainment, and is almost no longer dependent on centralized control infrastructure.
What makes Kazuar frightening isn't its data-stealing capability, but how it exists within the victim's network: silently, distributed, hard to eradicate, and capable of "surviving" even if part of the infrastructure is detected. This report will provide a detailed analysis of Kazuar's operational architecture, the P2P botnet model deployed by Turla, stealth and persistence techniques, and why Kazuar is considered one of the most dangerous espionage frameworks today.
Overview of the APT Group Turla (Secret Blizzard)
Who is Turla?
Turla is one of the oldest, most mysterious, and sophisticated APT (Advanced Persistent Threat) groups ever recorded in modern cybersecurity history. This group is believed to operate under the auspices of Russian intelligence, often linked to the FSB (Federal Security Service of the Russian Federation).
In the threat intelligence community, Turla is also known by various names such as Secret Blizzard (Microsoft), Uroburos, Snake, Venomous Bear, Waterbug, and Krypton. The group has been active since at least the early 2000s and has consistently appeared in cyber espionage campaigns targeting governments, military, embassies, research organizations, defense contractors, critical infrastructure, and diplomatic entities worldwide.
One of the most "dangerous and persistent" APTs
Unlike financially motivated ransomware groups, Turla's main objectives are strategic espionage, intelligence theft, maintaining long-term presence in victim systems, and monitoring geopolitical activities. Turla is renowned for its ability to maintain persistence for many years, use highly customized malware, deploy complex C2 infrastructure, and effectively conceal its tracks.
Key characteristics
A major distinction of Turla is its ability to independently develop extremely sophisticated malware frameworks. Instead of relying on common malware from the underground market, the group possesses its own ecosystem of implants and backdoors, designed for specific targets. Malware like Snake, ComRAT, Crutch, and more recently Kazuar, demonstrate very high technical proficiency, particularly in concealing network traffic and maintaining persistence. Turla is also renowned for leveraging legitimate infrastructure to disguise its command and control activities. In many previous campaigns, the group has exploited Gmail, Dropbox, OneDrive, or other popular cloud services as C2 channels to make malicious traffic appear like normal user activity. This helps the malware easily bypass traditional monitoring mechanisms.
One technique that once amazed the cybersecurity community was Turla's use of civilian satellite connections to hide the true origin of its command infrastructure. Instead of communicating directly from their servers, the group exploited legitimate users' satellite traffic to create a nearly untraceable proxy layer at that time.
Context and Distribution Methods
Kazuar is not a new piece of malware; Turla has been using it since 2017. However, the latest P2P botnet version shows a complete technical transformation. The malware is installed on target systems through familiar droppers like Pelmeni or ShadowLoader. A notable aspect of the distribution phase is the payload encryption technique: the second-stage payload is encrypted based on the target's hostname. This technique ensures that the malware can only be decrypted and executed on the victim's specific machine, complicating automatic analysis on standalone sandbox systems. Additionally, Kazuar includes a built-in .NET loader that uses a COM object to launch the main modules.
Upon activation, the malware performs a series of rigorous anti-analysis checks. It scans running processes for analysis tools, examines DLLs related to sandboxes, and searches the desktop for "canary files." Only after passing all these checks does the botnet officially become operational.
Execution flow
Phase 1 - Target Acquisition
Turla is renowned for its highly selective targeting capabilities. Unlike widespread malware campaigns, the group often spends considerable time researching the target organization before launching an attack. One of the most common methods is spear-phishing. Victims receive fake emails, documents with malicious macros, disguised archive files, or links leading to malicious payloads.
Alongside spear-phishing, Turla also employs watering-hole attacks—techniques that target websites frequently visited by the victim. When users access a site that has been implanted with malware or an exploit kit, the malware is silently deployed into the system with little to no additional interaction required. In some recent campaigns, Turla has also exploited public-facing vulnerabilities to gain initial access. A notable example is the exploitation of the Citrix ADC vulnerability, specifically CVE-2023-3519, to execute remote code and establish a foothold within the enterprise network.
Phase 2 - Deployment
After gaining initial access, Turla begins deploying a multi-layered malware chain to introduce Kazuar into the system without triggering security alerts. At this stage, small implants play a crucial role. According to numerous threat intelligence reports, Turla uses first-stage malware like Capibar to verify the victim's environment, perform anti-analysis checks, inspect sandboxes, and assess whether the system is valuable enough for strategic implant deployment. If the target is deemed suitable, Capibar proceeds to load specialized loaders such as Pelmeni or ShadowLoader. These components are responsible for decrypting the payload, injecting malware into memory, and deploying Kazuar without leaving many artifacts on disk.
Phase 3 - Post-Exploitation
Sau khi Kazuar được triển khai thành công, chiến dịch bước sang giai đoạn quan trọng nhất: duy trì hiện diện dài hạn và thu thập tình báo. Đây là lúc Kazuar bắt đầu thể hiện vai trò của một framework espionage hoàn chỉnh thay vì chỉ là backdoor thông thường.
Ở thời điểm này, hệ thống của nạn nhân gần như đã trở thành một node nằm bên trong mạng botnet espionage của Turla - nơi malware có thể: tồn tại âm thầm trong thời gian dài, tự phục hồi khi bị gián đoạn và liên tục truyền dữ liệu chiến lược ra ngoài mà rất khó bị phát hiện.
The architecture of Kazuar
Kernel
The kernel module is truly the "brain" of Kazuar, responsible for coordinating the entire botnet network on each infected machine. It not only manages over 150 different configuration parameters but also plays a central role in directing the Worker modules and controlling the communication flow with the Bridge module.
What makes this architecture truly frightening is not the number of features, but how Turla designed its operational mechanism to achieve almost complete stealth.
Instead of having every infected machine simultaneously beacon out to the Internet like traditional botnets, which are easily detected by EDR or network monitoring systems, Kazuar uses an internal mechanism called Leadership Election.
In the botnet network, the Kernel modules continuously assess each other's status based on various factors such as uptime, connection stability, and the number of interrupts or system errors. From there, the entire bot automatically "elects" a single node to serve as the Kernel Leader.
As soon as the leader is identified, all other Kernels immediately switch to SILENT mode. They continue to operate quietly in the background but completely stop making suspicious outbound connections. As a result, in an entire botnet network that may consist of dozens or hundreds of infected endpoints, only a single node is allowed to communicate with the C2 infrastructure through the Bridge module. This is the extremely sophisticated aspect of Kazuar's design.
Bridge
If the Kernel is the brain coordinating the entire botnet, then the Bridge module is the "secret tunnel" connecting the Kazuar network to the external control infrastructure. The Bridge is not merely an intermediary proxy. It is designed as an extremely sophisticated layer that disguises traffic, allowing Turla to make malicious traffic appear completely legitimate to network monitoring systems.
All communication between the Kernel Leader and the C2 server must pass through the Bridge module. This allows Turla to centrally control all outbound communication and minimize unusual traces from infected endpoints. Notably, the Bridge supports multiple communication protocols instead of relying on a single fixed channel. According to Microsoft's analysis, this module can operate through HTTP, WebSocket Secure (WSS), and particularly Exchange Web Services (EWS).
Worker
If the Kernel is the brain and the Bridge is the secret communication channel, then the Worker module is the force directly carrying out espionage activities within the victim's system. This component is responsible for data collection, user monitoring, and executing intelligence tasks sent down by the operator from the control infrastructure. Unlike typical malware that focuses on stealing files or opening a remote shell, Kazuar's Worker operates like a comprehensive espionage implant. It continuously monitors the system to gather as much valuable data as possible while maintaining a high level of stealth to avoid detection.
One of the most important functions of the Worker is keylogging. This module can record user keystrokes to collect credentials, internal emails, sensitive documents, or access information for strategic systems. Another notable capability is the collection of MAPI email data. Instead of just stealing physical files, Kazuar can directly access internal email data through the Messaging Application Programming Interface (MAPI), allowing the operator to monitor communications, retrieve email content, analyze internal relationships, and gather strategic intelligence.
Inter-process communication (IPC) and Data Organization
To allow the modules to communicate with each other without being detected by local network scanning tools, Kazuar uses sophisticated Inter-process communication (IPC) techniques:
Window Messaging (Default): Registers hidden windows and sends messages between processes.
Mailslots: Uses the hash of the module name to create a hidden mailslot.
Named Pipes: The kernel leader uses the REMO thread to create named pipes for direct exchange with other kernel clients (default pattern is MD5 of pipename-kernel-).
All message packets are formatted using Google Protocol Buffers (Protobuf), enabling fast and resource-efficient data serialization.
Additionally, Kazuar uses a centralized working directory on the disk. All data collected from the Worker, configuration files, and tasks are stored independently here. The data is always encrypted on-site before the Bridge module exfiltrates it. This design isolates the collection process from the transmission process, ensuring the botnet remains operational even if the computer restarts or loses C2 connection.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Persistence | Scheduled Task | T1053 |
| Defense Evasion | Obfuscated Files | T1027 |
| Command & Control | Peer-to-Peer Communication | T1095 |
| Command & Control | Multi-hop Proxy | T1090.003 |
| Discovery | System Information Discovery | T1082 |
| Lateral Movement | Remote Services | T1021 |
| Execution | PowerShell | T1059.001 |
| Credential Access | OS Credential Dumping | T1003 |
| Collection | Data from Local System | T1005 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
IOC
Indicator | Type | Description |
69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4 | SHA-256 | hpbprndiLOC.dll – Kazuar Loader |
c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9 | SHA-256 | Decrypted Kernel Module |
6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d | SHA-256 | Decrypted Bridge Module |
436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85 | SHA-256 | Decrypted Worker Module |
Expert opinion
The evolution of Kazuar from a monolithic tool to a distributed P2P ecosystem reflects a strategic shift by Turla. Instead of relying solely on Living-off-the-Land (LOLBins), which are increasingly monitored by EDR, Turla opted to design specialized modules with a "leader" mechanism. Allowing only a single device to communicate with C2 helps Kazuar bypass traditional network anomaly detection scenarios at SOCs.
Risks to targets in Vietnam: Turla (Secret Blizzard) is notorious for cyber intelligence campaigns targeting government, diplomatic, and defense agencies. In Southeast Asia, Vietnam has always been a high-value strategic target. Observations from monitoring systems indicate frequent attacks on email infrastructure (particularly Exchange Server) and directive documents of state organizations. Kazuar's integration of a built-in MAPI email data theft module and covert C2 communication via EWS shows that this malware is "tailor-made" for the network environments of public sector organizations and ministries, which heavily rely on Microsoft Exchange. The risk of confidential document leaks (espionage) is extremely serious if the system is infected, and detection using old rules will no longer be effective.
Recommendations
Immediate (0-24h)
Review processes using Named Pipes with encrypted string formats (especially MD5) or the unusual appearance of hidden windows communicating via Window Messaging.
Immediately isolate workstations with abnormal EWS connections to IP addresses outside the whitelist.
Short-term (1-7 days)
Configure and activate Attack Surface Reduction (ASR) rules on the EDR system: block obfuscated scripts, prevent processes generated from WMI/PSExec, and prohibit execution of files not on the trusted list.
Ensure the Endpoint Detection and Response (EDR) feature is running in block mode and Network Protection is enabled to proactively disconnect C2 connections.
Long-term
Deploy and monitor PowerShell logs (including Module and Script Block Logging) into SIEM.
Build a Zero Trust architecture for the network infrastructure, applying micro-segmentation to prevent the lateral movement of P2P botnets internally.
References
Russian hackers turn Kazuar backdoor into modular P2P botnet
Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access
Kazuar: Anatomy of a nation-state botnet | Microsoft Security Blog
