The Russian state-sponsored group Turla has turned its Kazuar backdoor into a modular peer-to-peer botnet built for stealth and persistent access, according to a technical analysis by Microsoft Threat Intelligence published Thursday. The report says the malware now uses three coordinated components and has been in use since 2017.
KEY FACTS
- Group Turla is assessed by CISA to be tied to Russia’s FSB Center 16.
- Malware Kazuar has evolved from a monolithic .NET backdoor into a modular bot ecosystem.
- Architecture The malware now uses Kernel, Bridge and Worker modules.
- Delivery Attacks have used droppers such as Pelmeni and ShadowLoader.
The report says the redesign gives Turla more flexibility, a smaller visible footprint and broader tasking options. Kernel modules manage coordination, logging and anti-analysis checks, while the Bridge module acts as a proxy to command-and-control servers.
Worker modules are used to log keystrokes, hook Windows events, track tasks and collect system details, file listings and MAPI information. Data gathered by the Workers is aggregated, encrypted and written to a dedicated working directory before exfiltration.
The malware also includes internal communication paths through Windows Messaging, Mailslot and named pipes. For external communication, it can use Exchange Web Services, HTTP and WebSockets, and one Kernel module is elected to speak for the others.
Microsoft said the leader election process depends on how long a Kernel module has been running and how often it has been interrupted by events such as reboots or logoffs. The elected leader sets other Kernel modules to silent mode and handles requests through the Bridge.
WHY IT MATTERS
The changes suggest Turla is investing in tooling that is harder to detect and more resilient across restarts. For defenders, the modular design and multiple communication paths can make detection, disruption and incident response more difficult.