Russian FSB actor Turla rebuilds Kazuar backdoor as a modular peer-to-peer botnet
Microsoft Threat Intelligence detailed how Turla, the Russian state actor attributed by CISA to the FSB's Center 16, has transformed its .NET Kazuar backdoor from a monolithic implant into a modular peer-to-peer botnet ecosystem. The new architecture splits responsibilities across three component types - Kernel, Bridge, and Worker - and uses a leader-election mechanism so only one infected host actually talks to the external C2 server, dramatically reducing observable network noise. Turla (also tracked as Secret Blizzard, Snake, Venomous Bear, Uroburos, WRAITH) has been targeting government, diplomatic, and defense organizations across Europe, Central Asia, and Ukraine since 2017; recent operations also leverage Gamaredon for initial access before deploying Kazuar v3.
- Check
- Hunt for .NET assemblies sideloaded as COM objects with small loader stubs, look for Kazuar Worker behaviors (Outlook data, USB metadata, network shares enumeration), and review east-west traffic for low-volume peering between internal hosts.
- Affected
- Government, diplomatic, defense, and defense-adjacent organizations in Europe, Central Asia, and Ukraine. Historic FSB target patterns include foreign ministries, embassies, and defense contractors; Gamaredon initial-access activity widens the candidate set across Eastern European industry.
- Fix
- Block known Kazuar v3 hashes and infrastructure from Microsoft's report, deploy detections for the Kernel-Bridge-Worker P2P pattern (single external talker per cluster), and tighten Outlook PST and USB-history access with EDR rules.