CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Turla’s Kazuar framework upgraded into modular P2P botnet for persistent intrusions

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Turla (Secret Blizzard, ATG26, Blue Python, Uroburos) has upgraded its Kazuar .NET backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence and covert operations against government, diplomatic, and defense targets in Europe and Central Asia. The overhaul introduces a three-tier module architecture—Kernel, Bridge, and Worker—coordinated via droppers such as Pelmeni and ShadowLoader. Kernel modules act as the botnet’s control plane, electing a leader to mediate C2 communication while Workers exfiltrate data, log keystrokes, and profile systems. Communication uses multiple channels including Windows Messaging, Mailslot, named pipes, HTTP, Exchange Web Services, and WebSockets to evade detection. The design emphasizes resilience through internal P2P coordination, multi-path C2 redundancy, and persistent on-disk staging of operational data.

Timeline

  1. 15.05.2026 20:10 1 articles · 2h ago

    Kazuar backdoor modularized into P2P botnet with multi-channel C2 for persistent access

    Turla’s Kazuar .NET backdoor has been upgraded from a monolithic framework to a modular P2P botnet comprising Kernel, Bridge, and Worker modules. Kernel modules coordinate internally via Windows Messaging, Mailslot, and named pipes, electing a single leader to manage C2 communications over HTTP, WebSockets, or Exchange Web Services. Worker modules perform keystroke logging, event hooking, and data collection, staging information in a structured on-disk directory before exfiltration. Droppers Pelmeni and ShadowLoader are used to decrypt and deploy modules, reducing detection risk and enabling flexible, persistent operations against high-value targets.

    Show sources
    Open in new tab

Information Snippets

  • Turla (also tracked as Secret Blizzard, ATG26, Blue Python, Uroburos, Snake, SUMMIT, Waterbug, and WRAITH) is assessed to be affiliated with Center 16 of Russia’s FSB, targeting government, diplomatic, and defense sectors in Europe and Central Asia.

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources

  • Kazuar has evolved from a monolithic .NET backdoor (first seen in 2017) into a modular P2P botnet composed of three distinct module types: Kernel (coordinator), Bridge (C2 proxy), and Worker (collection/execution).

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources

  • Kernel modules coordinate tasking internally via Windows Messaging, Mailslot, and named pipes, electing a single leader module to manage communications with the Bridge component over HTTP, WebSockets, or Exchange Web Services.

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources

  • Worker modules log keystrokes, hook Windows events, gather system information, file listings, and MAPI data, then stage collected data in a dedicated working directory before exfiltration.

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources

  • Droppers such as Pelmeni and ShadowLoader are used to decrypt and launch Kazuar’s modular components, reducing observable footprints and enabling flexible configuration.

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources

  • The malware maintains persistence by decoupling task execution from data storage and exfiltration, organizing data into distinct subdirectories within a fully qualified, configurable working directory to support operational state across restarts.

    First reported: 15.05.2026 20:10
    1 source, 1 article
    Show sources