Turla Kazuar modular P2P botnet
Malware Activity
Summary
Hide ▲
Show ▼
Turla has refactored its Kazuar backdoor into a modular peer-to-peer (P2P) botnet, strengthening stealth and persistent access on compromised hosts. The redesign gives the malware more flexible tasking and a smaller observable footprint. It also supports encrypted staging and exfiltration of collected data. The shift matters because it improves long-term operator control over infected systems.
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
H score28
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Medusa ransomware post-compromise deployment
Malware Activity
H score48
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Timeline
-
15.05.2026 20:10 2 articles · 1mo ago
Turla discloses Kazuar modular P2P botnet
Initial DisclosureMicrosoft Threat Intelligence reported that Turla transformed Kazuar, a .NET backdoor used since 2017, into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised hosts. The redesign splits functionality across Kernel, Bridge, and Worker modules that coordinate tasking, logging, collection, and exfiltration, with droppers such as Pelmeni and ShadowLoader used to decrypt and launch the modules.
Show sources
- Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access — thehackernews.com — 15.05.2026 20:10
- Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access — thehackernews.com — 15.05.2026 20:10