Find notable cyber news and cases, enriched with sources, timelines, and signals.

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

Kazuar is being used in a multi-stage campaign in Ukraine that ESET says likely involves Gamaredon providing access and Turla/Secret Blizzard delivering the backdoor. In February, April, and June 2025, ESET observed PteroGraphin, PteroOdd, and PteroPaste being used to launch Kazuar v2/v3 on Ukrainian endpoints, including activity tied to FSB-affiliated groups. The chain uses PowerShell downloaders and delivery via Telegraph API, Cloudflare Workers, and the domain 91.231.182[.]187, and it has affected at least seven machines in Ukraine over the past 18 months.

Related Happenings

Turla STOCKSTAY phishing campaign targeting Ukraine and Europe

Campaign
H score37 First: 26.06.2026 10:15 Last: 26.06.2026 10:15 Sources 1

About this happening: Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...

Turla Kazuar modular P2P botnet

Malware Activity
H score16 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
H score19 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

Gremlin stealer modular toolkit evolution

Malware Activity
H score21 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

Timeline

  1. 16.05.2026 17:15 2 articles · 1mo ago

    Secret Blizzard turns Kazuar into modular P2P botnet

    Technical Analysis Update

    Microsoft describes Secret Blizzard's Kazuar backdoor as a modular peer-to-peer botnet built for long-term persistence, stealth, and data collection against government, diplomatic, defense, and critical-system targets across Europe, Asia, and Ukraine. The malware uses kernel, bridge, and worker modules, relays command-and-control traffic over HTTP, WebSockets, or Exchange Web Services (EWS), stages stolen data locally before exfiltration, and adds 150 configuration options plus AMSI, ETW, and WLDP bypasses.

    Show sources