Secret Blizzard Upgrades Kazuar Backdoor Into P2P Botnet

Executive Summary

Russian state-sponsored group Secret Blizzard has transformed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet, according to a new analysis from Microsoft. The upgraded malware now operates through three distinct modules — kernel, bridge, and worker — and supports over 150 configuration options, including built-in bypasses for Antimalware Scan Interface (AMSI), Event Tracing for Windows (ETW), and Windows Lockdown Policy (WLDP). Secret Blizzard, whose operations overlap with Turla, Uroburos, and Venomous Bear, is tied to the Russian Federal Security Service (FSB) and has historically targeted government and diplomatic organizations across Europe, Asia, and Ukraine.

Technical Analysis

Microsoft researchers analyzed a recent variant of Kazuar and found the malware now uses a leader-election model to minimize its network footprint. The kernel module acts as the central coordinator, managing tasks, controlling other modules, and electing a leader among infected systems within a compromised network segment. Only the leader communicates with the remote command-and-control (C2) server; non-leader systems enter a "silent" mode, avoiding direct external connections. The leader is selected autonomously based on uptime, reboot count, and interruption history.

The bridge module serves as the external communications proxy, relaying traffic between the elected kernel leader and the C2 infrastructure via HTTP, WebSockets, or Exchange Web Services (EWS). Internal communications between modules rely on inter-process communication (IPC) methods including Windows Messaging, Mailslots, and named pipes — all of which blend into normal system activity. All IPC messages are AES-encrypted and serialized using Google Protocol Buffers (Protobuf).

The worker module handles the actual espionage operations: keylogging, screen capture, filesystem harvesting, system and network reconnaissance, email collection via MAPI (including Outlook downloads), window monitoring, and theft of recent files. Collected data is encrypted, staged locally, and exfiltrated through the bridge module.

Kazuar's configuration engine now supports 150 options, enabling operators to toggle specific security bypasses, schedule tasks, control data theft timing and exfiltration chunk sizes, perform process injection, and manage command execution. The AMSI, ETW, and WLDP bypasses are particularly notable, as they allow the malware to evade detection by security products that rely on these Windows security features.

Microsoft notes that Kazuar's code lineage traces back to at least 2005, with public documentation dating to 2017. Previous deployments targeted European government organizations in 2020 and Ukrainian entities in 2023. The group's typical objective is long-term persistence for intelligence collection, specifically exfiltrating politically significant documents and email content.

Mitigations & Recommendations

Microsoft recommends that defenders prioritize behavioral detection over static signature-based approaches, given Kazuar's modular and highly configurable nature. Organizations should monitor for anomalous IPC activity, unexpected named pipe creation, and unusual EWS or WebSocket traffic from hosts that do not typically generate such traffic. Enabling AMSI for all scripting languages and auditing ETW providers can help detect bypass attempts. Network segmentation and strict egress filtering can reduce the risk of silent-mode nodes establishing C2 channels through the leader. Defenders in government, diplomatic, and defense sectors — particularly those operating in Europe, Asia, and Ukraine — should treat any signs of Kazuar activity as indicative of a sophisticated, state-sponsored operation.