Microsoft Details Kazuar Malware’s Shift Into a Modular P2P Botnet

Microsoft says Kazuar, a malware family linked to the Russian state actor Secret Blizzard, has evolved from a traditional backdoor into a modular peer-to-peer botnet built for long-term espionage.

The upgraded malware uses separate Kernel, Bridge, and Worker modules to reduce its network footprint, spread tasks across infected hosts, and keep access to targeted environments even when individual systems go offline.

Microsoft’s analysis shows that Secret Blizzard uses Kazuar to support covert intelligence collection against government, diplomatic, defense, and foreign policy-related targets, especially across Europe, Central Asia, and Ukraine.

Kazuar has become a stealth-focused espionage platform

Kazuar is not ordinary commodity malware. It is a long-running espionage tool designed for persistence, quiet data collection, and flexible command execution inside high-value networks.

Microsoft says the malware now works as a structured botnet ecosystem instead of a single backdoor. That change makes detection harder because not every infected machine needs to contact attacker infrastructure directly.

The malware can stage stolen data locally, route commands through internal communication channels, and use carefully timed exfiltration settings to blend into normal business activity.

Area	Microsoft’s finding
Threat actor	Secret Blizzard
Malware family	Kazuar
Main purpose	Long-term cyberespionage and intelligence collection
Architecture	Modular peer-to-peer botnet
Main modules	Kernel, Bridge, and Worker
Known targets	Government, diplomatic, defense, and related organizations

How Kazuar reaches infected systems

Microsoft says Kazuar can arrive through several dropper variants. One observed method uses a dropper called Pelmeni, which stores an encrypted second-stage payload inside the dropper itself.

In some cases, the payload is tied to the target environment. For example, Microsoft said the payload can be encrypted with information such as the target hostname, which means it only decrypts and runs on the intended machine.

Another delivery path uses a small .NET loader placed alongside the final payload. The dropper then invokes the loader and supplies the decrypted Kazuar modules for execution.

The three Kazuar modules have separate jobs

Kazuar’s current architecture splits major functions across three module types. This design gives the malware flexibility and reduces the chance that one detected component reveals the whole operation.

The Kernel module acts as the coordinator. It manages tasks, communicates with other modules, keeps logs, handles internal routing, and performs anti-analysis checks before the malware continues running.

The Bridge module handles outside communication. It relays traffic between the elected Kernel leader and attacker-controlled command-and-control infrastructure through supported channels such as HTTP, WebSocket, or Exchange Web Services.

Module	Role in Kazuar
Kernel	Coordinates tasks, manages logs, handles internal routing, and controls botnet behavior.
Bridge	Connects the botnet to external command-and-control infrastructure.
Worker	Collects data, runs assigned tasks, captures screenshots, and performs host reconnaissance.

The leader election system reduces external traffic

The most important stealth feature is Kazuar’s leader election system. Instead of every infected host contacting the attacker’s server, one Kernel module becomes the leader and communicates outward on behalf of the others.

Microsoft says this reduces visibility because defenders see less external traffic from infected systems. Non-leader hosts can remain quieter while still receiving commands and forwarding collected data through internal channels.

If the leader disappears, Kazuar can elect a new leader. This design helps the botnet remain operational even when a defender isolates or removes one infected machine.

• Only the elected leader communicates externally.
• Other infected hosts route activity through internal peer communication.
• The botnet can continue operating if one host goes offline.
• Lower external traffic makes network detection harder.
• Internal communication can use Windows messaging, mailslots, and named pipes.

What Kazuar collects from infected machines

Kazuar’s Worker module performs the hands-on collection work. Microsoft said the malware can gather broad system details, take screenshots, collect files, inspect running processes, and capture information useful for espionage operations.

The system information gathered can include antivirus details, AppLocker settings, network adapters, ARP tables, network shares, running processes, active windows, recent documents, Outlook downloads, USB devices, local users, logon sessions, DNS cache, services, drivers, and update history.

Earlier Unit 42 research also described Kazuar as an advanced .NET backdoor with extensive commands for host profiling, credential theft, file manipulation, arbitrary command execution, registry activity, scripts, and sensitive application data theft.

Collection area	Examples
System profile	OS details, security tools, services, drivers, update history, and hardware details.
User activity	Active windows, recent documents, Explorer history, and Outlook downloads.
Network data	Network adapters, ARP tables, DNS cache, network shares, and active connections.
Files and screenshots	Automated file harvesting and screenshot capture.
Execution tasks	Command execution, scripts, registry operations, and custom network requests.

Configuration depth makes Kazuar harder to hunt

Microsoft said Kazuar now supports around 150 configuration types across communication, execution, security bypass, tasking, data exfiltration, file collection, and operational state management.

This lets operators change how the malware behaves without rebuilding the entire tool. They can adjust communication methods, task timing, file collection rules, process injection settings, and exfiltration windows.

That flexibility makes static indicators less reliable. A hash or filename may help in one incident, but defenders also need behavioral detection focused on how Kazuar stages data, routes messages, and communicates internally.

Secret Blizzard’s targets and attribution

Microsoft attributes Kazuar activity to Secret Blizzard, a Russian state actor also tracked by other vendors under names such as Turla, Uroburos, Venomous Bear, Blue Python, WRAITH, and ATG26.

Microsoft said CISA has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service. The group has a long record of targeting ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies.

Microsoft also noted that Secret Blizzard has targeted systems in Ukraine previously compromised by Aqua Blizzard, likely to support Russia’s foreign policy and military objectives.

Why defenders should focus on behavior

Kazuar’s modular design makes single-sample analysis less useful. Defenders should look for patterns that keep the botnet working, including leader election behavior, inter-process communication, encrypted local staging, and periodic exfiltration.

Microsoft recommends hardening endpoint protection, enabling network protection, using attack surface reduction rules, blocking potentially obfuscated scripts, monitoring PowerShell activity, and running endpoint detection and response in block mode.

Organizations at higher risk should also monitor named pipes, unusual internal communication between hosts, unexpected hidden windows, suspicious working directories, and encrypted data staging files.

• Enable endpoint detection and response in block mode.
• Turn on tamper protection and real-time antivirus protection.
• Use attack surface reduction rules against suspicious scripts and process creation.
• Monitor PowerShell module and script block logging.
• Look for unusual named pipe and inter-process communication activity.
• Review unexpected local data staging and encrypted files.
• Watch for suspicious Exchange Web Services, WebSocket, or HTTP-based C2 traffic.

Known Kazuar indicators

Microsoft published several indicators tied to the analyzed Kazuar components. Security teams can use these indicators as part of a wider detection strategy, but they should not rely on hashes alone.

SHA-256	Description
69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4	hpbprndiLOC.dll, Kazuar loader
c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9	Decrypted Kernel module
6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d	Decrypted Bridge module
436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85	Decrypted Worker module

Kazuar shows how espionage malware is changing

Kazuar’s evolution shows how nation-state malware is moving toward resilience by design. The tool does not only hide from antivirus scans. It reduces the number of infected hosts that speak to external infrastructure and keeps activity distributed inside the network.

That approach creates a harder problem for defenders. Blocking one command-and-control path or removing one infected host may not fully disrupt the operation if other nodes can continue routing tasks.

For government, defense, diplomatic, and high-risk research organizations, Kazuar should trigger a wider review of endpoint visibility, internal traffic monitoring, credential hygiene, and incident response readiness.

FAQ