Secret Blizzard Kazuar modular P2P botnet
Malware Activity
Summary
Hide ▲
Show ▼
Kazuar is being used in a multi-stage campaign in Ukraine that ESET says likely involves Gamaredon providing access and Turla/Secret Blizzard delivering the backdoor. In February, April, and June 2025, ESET observed PteroGraphin, PteroOdd, and PteroPaste being used to launch Kazuar v2/v3 on Ukrainian endpoints, including activity tied to FSB-affiliated groups. The chain uses PowerShell downloaders and delivery via Telegraph API, Cloudflare Workers, and the domain 91.231.182[.]187, and it has affected at least seven machines in Ukraine over the past 18 months.
Related Happenings
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
Campaign
H score37
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
CampaignAbout this happening: Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Turla Kazuar modular P2P botnet
Malware Activity
H score16
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
**Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Turla Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
H score19
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
Timeline
-
16.05.2026 17:15 2 articles · 1mo ago
Secret Blizzard turns Kazuar into modular P2P botnet
Technical Analysis UpdateMicrosoft describes Secret Blizzard's Kazuar backdoor as a modular peer-to-peer botnet built for long-term persistence, stealth, and data collection against government, diplomatic, defense, and critical-system targets across Europe, Asia, and Ukraine. The malware uses kernel, bridge, and worker modules, relays command-and-control traffic over HTTP, WebSockets, or Exchange Web Services (EWS), stages stolen data locally before exfiltration, and adds 150 configuration options plus AMSI, ETW, and WLDP bypasses.
Show sources
- Russian hackers turn Kazuar backdoor into modular P2P botnet — www.bleepingcomputer.com — 16.05.2026 17:15
- Russian hackers turn Kazuar backdoor into modular P2P botnet — www.bleepingcomputer.com — 16.05.2026 17:15
-
19.09.2025 11:24 1 articles · 9mo ago
Gamaredon tools execute Turla Kazuar v3 on a Ukrainian endpoint
Campaign Scope UpdateGamaredon tools PteroGraphin and PteroOdd were used on a Ukrainian endpoint to execute Turla's Kazuar v3 backdoor, and Kazuar was present on the system since February 11, 2025.
Show sources
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine — thehackernews.com — 19.09.2025 11:24