“The Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts,” explains Microsoft.
Secret Blizzard and Kazuar's lineage
Microsoft researchers report that the Russian hacker group Secret Blizzard has developed the long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet. Secret Blizzard’s activity overlaps that of Turla, Uroburos, and Venomous Bear and has been associated with the Russian intelligence service (FSB). The group is known for targeting government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
Kazuar itself has a long documented history: researchers first noted the malware in 2017, and Microsoft traces its code lineage back as far as 2005. Researchers linked Kazuar activity to the Turla espionage group and documented deployments in attacks against European government organizations in 2020 and in attacks against Ukraine in 2023.
Three-module architecture: Kernel, Bridge, Worker
Microsoft’s analysis found a recent Kazuar variant now split into three distinct modules: Kernel, Bridge, and Worker. The Kernel module acts as the central coordinator. It manages tasks, controls other modules, elects a leader within the infected environment, and orchestrates communications and data flow across the botnet.
The Bridge module functions as the external communications proxy, relaying traffic between the elected Kernel leader and remote command-and-control (C2) infrastructure. Bridge supports protocols including HTTP, WebSockets, and Exchange Web Services (EWS). The Worker module carries out espionage activities and data collection.
Operational stealth: leader election, silent nodes, and IPC
The botnet’s peer-to-peer design aims to minimize external exposure. One infected system is elected as the leader and communicates with the C2 server; other infected systems enter a “silent” mode and do not communicate directly with the C2. Microsoft explains that this reduces visibility by avoiding large volumes of external traffic from multiple infected hosts.
Leader selection is internal and autonomous, using metrics such as uptime, reboot events, and interruption counts. Internal communications between modules rely on Windows inter-process communication (IPC) mechanisms—Windows Messaging, Mailslots, and named pipes—blending with routine operational noise. Messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf).
Capabilities and configuration: what Kazuar steals and how it evades
The Worker module’s espionage capabilities include keylogging, capturing screenshots, harvesting filesystem data, performing system and network reconnaissance, collecting email/MAPI data (including Outlook downloads), monitoring windows, and stealing recent files. Collected data is encrypted locally, staged, and exfiltrated later through the Bridge module.
Kazuar’s new build is highly configurable. Microsoft notes the malware supports roughly 150 configuration options that let operators enable or disable specific security bypasses, schedule tasks, control timing and size of exfiltration chunks, perform process injection, and manage task and command execution. Security bypass options explicitly documented in the analysis include Antimalware Scan Interface (AMSI) bypass, Event Tracing for Windows (ETW) bypass, and Windows Lockdown Policy (WLDP) bypass.
What this means for government organizations, defense entities, and security teams
- Government and diplomatic organizations: Secret Blizzard has a documented targeting pattern that includes government and diplomatic entities across Europe and Asia and has been observed in attacks against Ukraine; those organizations should note the actor’s stated interest in documents and email with political importance.
- Defense-related entities and operators of critical systems: Microsoft characterizes Secret Blizzard’s goal as long-term persistence for intelligence collection, making prolonged, stealthy access a primary operational aim.
- Security teams and enterprises: Microsoft recommends focusing defensive efforts on behavioral detection rather than static signatures, given Kazuar’s modular, highly configurable nature and its suite of bypass techniques.
Microsoft’s guidance and the defensive challenge
Microsoft’s public analysis emphasizes that Kazuar’s shift to a modular P2P botnet and its large set of configuration options make the threat particularly evasive. The vendor’s explicit recommendation is to prioritize behavioral detection approaches over reliance on static signatures. The company also highlights the contrast between automated pentesting tools—useful for confirming lateral movement—and defensive validation that tests whether controls, detection rules, and cloud configurations actually block and surface real threats.
Kazuar’s combination of a leader-mediated P2P architecture, IPC-based internal communications, AES/Protobuf serialization, and 150 tunable options — plus AMSI, ETW, and WLDP bypasses — changes a long-documented backdoor into a tool tailored for stealthy, persistent espionage. For organizations in Secret Blizzard’s targeting set, Microsoft’s analysis underscores a simple, stark fact: the persistent risk is no longer just external traffic spikes, but internal coordination designed to avoid them.
Read the original Microsoft analysis reported by BleepingComputer




