Russian APT Turla builds long-term access tool with Kazuar Botnet evolution

Pierluigi Paganini
May 16, 2026

Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems.

Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems. Microsoft researchers say the malware allows attackers to maintain long-term control while making detection and disruption more difficult.

The Turla APT group (aka Secret Blizzard, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON)  has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Russia-nexus actor is assessed to be affiliated with Center 16 of Russia’s Federal Security Service (FSB).

The hacking group is known for its attacks targeting government, diplomatic, and defense sectors in Europe and Central Asia, as well as endpoints previously breached by Aqua Blizzard (aka Actinium and Gamaredon) to support the Kremlin’s strategic objectives.

Kazuar, the malware linked to the Russian state-backed group Secret Blizzard, has evolved from a traditional backdoor into a sophisticated modular peer-to-peer botnet designed for stealth, resilience, and long-term espionage operations.

“Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments.” reads the analysis published by Microsoft. “This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection. “

Microsoft researchers say the malware now uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent access inside compromised environments.

The APT group mainly targets government, diplomatic, and strategic organizations across Europe and Central Asia, as well as systems in Ukraine previously breached by other Russian-linked actors. Unlike many attackers that increasingly rely on legitimate system tools to evade detection, Turla has focused on building stealth and flexibility directly into Kazuar’s architecture.

The malware minimizes suspicious network activity by allowing only one elected node to communicate externally while other infected systems exchange data internally through peer-to-peer communications. Kazuar also supports multiple fallback command-and-control channels, staged data collection, and flexible task execution, helping operators maintain access even when parts of the infrastructure are disrupted.

Researchers say defenders should focus less on individual malware samples and more on the behaviors that keep the botnet functioning, including leader election, inter-process communication, staged working directories, and periodic data exfiltration.

The APT group spreads the malware through multiple delivery chains, including droppers that decrypt payloads only on targeted systems and lightweight .NET loaders that execute Kazuar modules directly in memory to reduce detection.

The botnet relies on three core components, Kernel, Bridge, and Worker modules, that cooperate to manage tasks, communications, surveillance, and data theft. The Kernel acts as the command center, coordinating operations, distributing work, and performing anti-analysis checks before the malware fully activates.

The Bridge module works as the communication gateway between infected systems and the attackers’ command-and-control servers. Instead of allowing every compromised machine to connect directly to external infrastructure, Kazuar routes traffic through a single elected leader node that uses the Bridge to send and receive commands, tasks, and stolen data. This design reduces suspicious network activity and helps the malware remain hidden.

Kazuar supports a wide range of configuration options covering command-and-control communications, process injection, security bypasses, data exfiltration timing, file harvesting, keylogging, and monitoring. Operators can dynamically change these settings from the command server at any time, giving the malware significant operational flexibility.

To reduce visibility, only one elected “leader” node communicates externally with the command-and-control infrastructure while other infected systems remain in silent mode and communicate internally through encrypted peer-to-peer channels. The malware supports multiple fallback communication methods, including HTTP, WebSockets, and Exchange Web Services, helping it survive infrastructure disruptions.

Worker modules handle surveillance and collection tasks such as keylogging, screenshot capture, email monitoring, file collection, and system reconnaissance. Stolen information is encrypted, staged locally, and later exfiltrated through the botnet’s communication infrastructure. Researchers say Kazuar’s modular architecture allows Secret Blizzard to maintain resilient and covert access to compromised networks while minimizing opportunities for detection.

Once Kazuar completes its setup process and elects a leader node, the malware shifts into a long-term operational mode focused on stealth, coordination, and intelligence collection. The elected Kernel leader centrally manages tasks and communications while keeping the botnet’s external footprint as small as possible. Worker modules then carry out surveillance and collection activities in the background, gathering information based on schedules and limits defined in the malware configuration.

“With the botnet setup complete, configurations instantiated, and a leader elected, Kazuar transitions into its steady state operational phase. In this state, the elected Kernel leader centrally coordinates tasking and data collection across participating modules while maintaining a deliberately low observable footprint.” continues the report. “Worker modules execute tasks asynchronously based on configuration and assignments received from the Kernel, collecting system, file, window, and user activity data according to defined schedules and limits.”

The malware uses structured message packets built with Google Protocol Buffers (Protobuf) to allow modules to exchange commands, task data, and operational information efficiently. These packets also contain transport instructions that tell the Bridge module how to communicate with external command-and-control infrastructure using HTTP, WebSockets, or Exchange Web Services.

“When sending a message, the dispatch function examines the contents of the message packet to determine the appropriate delivery mechanism, resolves the corresponding Mailslot name or window class identifier, and routes the packet to the intended module.” continues the report.

Kazuar also relies on a dedicated working directory that acts as a centralized staging area for logs, task files, configuration data, screenshots, collected documents, and keylogger output. The malware encrypts stolen information before storing it locally and later forwards it to the attackers through the Bridge module. Researchers say this filesystem organization helps the botnet maintain persistence, survive reboots or leadership changes, and separate data collection from exfiltration activities.

The Worker modules support a wide range of espionage functions, including command execution, screenshot capture, keylogging, file harvesting, and extensive system reconnaissance.

Kazuar can collect details about installed software, security products, network activity, USB devices, running processes, user accounts, browser activity, Outlook data, DNS cache, PowerShell versions, and even screenshots taken automatically or on demand.

The report also includes mitigation and protection guidance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon