Russia’s FSB-linked threat group Secret Blizzard rebuilt the Kazuar backdoor, turning it into a modular peer-to-peer botnet, according to a Microsoft Threat Intelligence report published May 14, 2026. The redesign makes Kazuar significantly harder to detect and better suited to long-term covert access and intelligence collection.
Secret Blizzard, also tracked as Turla, Uroburos, and Venomous Bear, is known for targeting government, diplomatic, and defense organizations across Europe, Asia, and Ukraine. Microsoft’s report noted that the upgrade “aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection.”
The group also targeted systems in Ukraine that had previously been compromised by Aqua Blizzard, very likely to obtain information supporting Russia’s foreign policy and military objectives. CISA has attributed Secret Blizzard to Center 16 of Russia’s FSB, one of Russia’s signals intelligence and computer network operations services.
Kazuar has been active since 2017, with its code lineage traced back to 2005.
How Kazuar Now Works
The original Kazuar operated as a single monolithic backdoor. The rebuilt version is structured around three distinct components that divide responsibilities across a botnet.
- The Kernel acts as a central coordinator, managing tasks, electing a leader node, and controlling internal communications.
- The Bridge serves as an external communications proxy, relaying traffic between the Kernel leader and the command-and-control server via HTTP, WebSocket, and Exchange Web Services.
- The Worker is the espionage engine, responsible for keylogging, capturing screenshots, and harvesting filesystem data.
Leader election is a key stealth mechanism. One Kernel node is elected as leader based on uptime and interruption counts. Only the leader communicates externally; all other nodes operate silently, reducing outbound traffic and evading detection tools that flag anomalous network volume.
When nodes communicate internally, they use Windows Messaging, Mailslots, and named pipes, blending with normal system traffic. These messages are AES-encrypted and serialized with Protocol Buffers. Data is staged locally in a working directory before being exfiltrated in chunks through the Bridge module.
The botnet supports 150 configuration options, giving operators granular control over how it runs. Configurable settings include AMSI, ETW, and WLDP (Windows Lockdown Policy) bypass; task scheduling; exfiltration timing; chunk size; and process injection methods.
Microsoft Publishes Defender Configurations and IoCs for Kazuar
Microsoft recommends enabling network protection and tamper protection in Microsoft Defender for Endpoint, running EDR in block mode, and configuring investigation and remediation in fully automated mode. Defenders should also enable attack surface reduction rules, including blocking execution of potentially obfuscated scripts and blocking process creations originating from PSExec and Windows Management Intrumentation (WMI) commands.
Microsoft has published four indicators of compromise for this campaign, including SHA-256 hashes for the Kazuar Loader, decrypted Kernel module, decrypted Bridge module, and decrypted Worker module.
Microsoft Defender detections cover the malware components under the names Kazuar, KazuarModule, KazuarLoader, ShadowLoader, and ToxicDust.
