Kazuar 3.0 the modular P2P button that persists, camouflages and steals intelligence

The transformation of the backdoor known as Kazuar into a modular botnet peer-to-peer by the Russian group known as Secret Blizzard changes the rules of the game for the defenses of public and private organizations: it is not only an access tool, but a platform designed for persist, pass unnoticed and extract intelligence with fine control by the operator.

Kazuar has a long history - research goes back to its code line until the mid-2000's and its use has been documented since 2017 - and its relationship with families attributed to Russian services such as Turla or Uroburos makes every new technique an indicator of a state-of-the-art campaign. The most relevant change in the last variant is its three-module architecture (Kernel, Bridge and Worker) that allows internal choices of a "leader" within the compromised network and that drastically reduces the noise of external communications by concentrating them on a single node.

That leader / elected design and the use of legitimate internal Windows IPC channels such as named pipes, mailslots and Windows messages, encrypted with AES and packaged with Protobuf, seek mix with normal telemetry and evade controls based on signatures or outbound traffic peaks. The Bridge module acts as a proxy to the C2 using HTTP, WebSockets or Exchange Web Services (EWS), while the Workers run the collection: keylogging, screenshots, post and document search and extraction, network recognition, and process injection techniques.

The practical consequence for defenders is clear: traditional techniques based on signatures or alerts by multiple hosts speaking out lose efficiency. The threat is persistent and directed, aimed at accumulating posts and documents of political or strategic value for long periods, so early detection and rapid containment are critical.

At the operational and technical level, it is appropriate to prioritize behavioral detection and enriched telemetry capabilities: to monitor process behavior patterns, correlation of unusual IPC events, duplication of processes that perform injections, creation of staging devices in disk and data rise from a single point of output. Exchange records and proxies for unexpected WebSocket and EWS traffic should be reviewed, and what hosts act as the only external emitters within segments that are, on the other hand, mostly internal.

The specific measures that should be implemented by security teams include strengthening EDR controls with performance rules, enabling and centralizing Windows logs (including process events, AMSI / ETW / WLDP if available) to detect bypasses, block or restrict EWS if not required, apply strict egress filtering and permitted proxies and firewalls lists, and segment networks to reduce the possibility that an internal leader can relieve information from the entire subnetwork.

It is not enough to have patches and signatures: it must be assumed that such an infection seeks to remain and move laterally in a conspicuous way. This is why the hygiene of credentials, multifactor in administrative access, rotation of secrets, review of accounts with persistent privileges, and response plans that include rapid isolation, forensic capture and restoration from verified copies are essential. It is also recommended to review Exchange configurations and mitigate old or unnecessary services that can be used for undercover communications.

For those who need to deepen technical research and official recommendations, Microsoft published a detailed analysis of this Kazuar variant that describes its architecture and configuration options, useful to prioritize detections: Microsoft: Kazuar - Anatomy of a nation-state botnet. In addition, for context on groups with historical overlaps and espionage tactics, the MITRE ATT & CK group collection offers useful mapping of techniques and procedures: MITRE ATT & CK - Turla (G0010).

Ultimately, the emergence of a modular P2P platform like Kazuar recalls that intelligence operations that attack governments and diplomacy require a defense position that combines deep telemetry, segmentation, exit controls and regular detection and response exercises. Detecting a "leader" who speaks out and internal encrypted IPC patterns may be the signal to interrupt a campaign before sensitive data volumes have been exfiltered.