Turla rebuilds Kazuar as a peer-to-peer botnet that elects who talks

The fresh Microsoft Threat Intelligence report on Turla, published on Thursday and picked up by BleepingComputer the following morning, is the kind of post that rewards close reading. The headline — “Russian hackers turn Kazuar backdoor into modular P2P botnet” — undersells what is actually being described. This is not a backdoor with a new wrapper. It is a deliberate piece of architectural engineering designed to defeat the assumption that sits underneath most modern beacon-detection programmes.

Turla, also tracked as Secret Blizzard (Microsoft), Snake, Venomous Bear, Uroburos, and a dozen other names, is the operational handle for a Russian state-intelligence team that CISA assesses to be part of Center 16 of the FSB. Their target list is consistent: government ministries, diplomatic missions, and defence-related organisations in Europe and Central Asia. Kazuar has been their .NET backdoor of choice since 2017. Until now, it was a single monolithic implant — capable, well-maintained, but architecturally conventional.

Microsoft’s analysis lays out the new shape. Kazuar has been split into three component types, each with a defined job.

The Kernel modules are the coordinators. Multiple Kernel modules run across the compromised estate and use intra-host channels — Windows messaging, Mailslot, and named pipes — to talk to each other. They hold a leadership election based on a ratio of how long each module has been running against the number of interruptions it has seen, such as reboots, logoffs, and process terminations. The most stable, longest-running, least-interrupted Kernel becomes the leader. Every other Kernel module is told to go SILENT. Only the leader logs activity, polls for new tasks, and routes them down to Workers.

The Bridge module sits between the elected Kernel leader and the outside world. It abstracts the C2 transport, which can run over Exchange Web Services, HTTPS, or WebSockets, so that the leader Kernel only has to think about talking to the Bridge while the Bridge worries about talking to the C2 server.

The Worker modules do the actual work: keystroke logging, hooking Windows events, enumerating files and processes, harvesting MAPI mail data, gathering system telemetry. Workers are reassigned, started, and stopped by the leader Kernel.

Across the three module types, Kazuar exposes roughly 150 configuration options. Operators can tune the size of exfiltration chunks, the timing of data theft, sandbox-evasion behaviour, process-injection options, task scheduling, and file-scanning depth. Pelmeni and ShadowLoader are the named droppers used to land and decrypt the modules onto the host.

The cleverness is not in the modularity itself. Plenty of malware families are modular. The cleverness is in the election.

The typical defender model assumes that an attacker’s implants beacon: that on any compromised estate, each foothold periodically reaches out to a command-and-control server, and that this beaconing constitutes the most reliable network-side detection surface. Suspicious outbound HTTPS to a previously unseen domain, anomalous JA3 signatures, periodic timing, DNS lookups to attacker-controlled resolvers — all of it depends on the implants actually talking to the outside.

In Turla’s model, they mostly do not. One Kernel module talks. The rest sit silently, doing their work, taking orders over Mailslot and named pipes, coordinating with each other through Windows messaging. To a network-edge detector, the compromised estate looks like a single, low-volume conversation between one endpoint and a legitimate Exchange Web Services destination. To a host-edge detector that only watches outbound traffic, the silent Kernels and Workers are essentially invisible. They are not exfiltrating. They are not beaconing. They are waiting their turn.

If the talker is removed — by reboot, by reimaging the host, by terminating the process — another Kernel module wins the next election. The botnet self-heals. Persistence is collective rather than per-host.

There are two defender takeaways worth carrying into next week’s strategy meeting.

The first is detection-surface. Per-endpoint beacon analytics, while still useful, are no longer a sufficient assumption-base against a sophisticated state actor on this design pattern. The detection that matters against Kazuar’s modular shape is intra-host: Windows-messaging activity between unrelated processes, named-pipe creation and use patterns, Mailslot traffic of any kind. Most environments do not collect these signals at all, and most SIEMs do not have rules tuned to them. The Microsoft blog is a useful starting reference for what the artefacts look like and which Sysmon event IDs map to them.

The second is segmentation. The Bridge module’s whole job is to be the single egress point of a chatty internal botnet. If the corporate network gives any one host the freedom to reach Exchange Web Services on behalf of every Kernel module across every department, the Bridge has an easy life. If the segmentation policy is tight enough that one workstation cannot freely reach corporate-mail infrastructure on behalf of the wider estate, the Bridge has to compete for a much narrower set of egress paths, and that narrowing is where defenders earn their living. Reading Turla’s design choices honestly: they expect to keep one talker alive on each compromised estate for years at a time. Make that talker work for it.

The pattern is not new in concept. Peer-to-peer command-and-control has been around since the early 2010s. What is new is the combination — a state intelligence team, a long-established backdoor, an election mechanic, and the specific decision to engineer quiet into the implant rather than bolt it on as an afterthought. Treat this as the new baseline for what serious nation-state implant design now looks like.