Find notable cyber news and cases, enriched with sources, timelines, and signals.

Turla Kazuar modular P2P botnet

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Turla has refactored its Kazuar backdoor into a modular peer-to-peer (P2P) botnet, strengthening stealth and persistent access on compromised hosts. The redesign gives the malware more flexible tasking and a smaller observable footprint. It also supports encrypted staging and exfiltration of collected data. The shift matters because it improves long-term operator control over infected systems.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
H score28 First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Medusa ransomware post-compromise deployment

Malware Activity
H score48 First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Timeline

  1. 15.05.2026 20:10 2 articles · 1mo ago

    Turla discloses Kazuar modular P2P botnet

    Initial Disclosure

    Microsoft Threat Intelligence reported that Turla transformed Kazuar, a .NET backdoor used since 2017, into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised hosts. The redesign splits functionality across Kernel, Bridge, and Worker modules that coordinate tasking, logging, collection, and exfiltration, with droppers such as Pelmeni and ShadowLoader used to decrypt and launch the modules.

    Show sources