Secret Blizzard Kazuar modular P2P botnet
Malware Activity
Summary
Hide ▲
Show ▼
Kazuar is being used in a multi-stage campaign in Ukraine that ESET says likely involves Gamaredon providing access and Turla/Secret Blizzard delivering the backdoor. In February, April, and June 2025, ESET observed PteroGraphin, PteroOdd, and PteroPaste being used to launch Kazuar v2/v3 on Ukrainian endpoints, including activity tied to FSB-affiliated groups. The chain uses PowerShell downloaders and delivery via Telegraph API, Cloudflare Workers, and the domain 91.231.182[.]187, and it has affected at least seven machines in Ukraine over the past 18 months.
Related Happenings
Turla Kazuar modular P2P botnet
Malware Activity
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
**Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Turla Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC
Malware Activity
First: 15.04.2026 17:40
Last: 15.04.2026 17:40
Sources 1
About this happening:
A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...
ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC
Malware ActivityAbout this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...
Timeline
-
16.05.2026 17:15 2 articles · 11d ago
Secret Blizzard turns Kazuar into modular P2P botnet
Technical Analysis UpdateMicrosoft describes Secret Blizzard's Kazuar backdoor as a modular peer-to-peer botnet built for long-term persistence, stealth, and data collection against government, diplomatic, defense, and critical-system targets across Europe, Asia, and Ukraine. The malware uses kernel, bridge, and worker modules, relays command-and-control traffic over HTTP, WebSockets, or Exchange Web Services (EWS), stages stolen data locally before exfiltration, and adds 150 configuration options plus AMSI, ETW, and WLDP bypasses.
Show sources
- Russian hackers turn Kazuar backdoor into modular P2P botnet — www.bleepingcomputer.com — 16.05.2026 17:15
- Russian hackers turn Kazuar backdoor into modular P2P botnet — www.bleepingcomputer.com — 16.05.2026 17:15
-
19.09.2025 11:24 1 articles · 8mo ago
Gamaredon tools execute Turla Kazuar v3 on a Ukrainian endpoint
Campaign Scope UpdateGamaredon tools PteroGraphin and PteroOdd were used on a Ukrainian endpoint to execute Turla's Kazuar v3 backdoor, and Kazuar was present on the system since February 11, 2025.
Show sources
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine — thehackernews.com — 19.09.2025 11:24