Regions Targeted: Europe, Central Asia, Ukraine
Related Threat Actors: Secret Blizzard (aka Turla, Venomous Bear)
Related Families: Kazuar, Pelmeni
Key Takeaways
Kazuar’s Evolution
Kazuar has historically been associated with sophisticated espionage operations conducted by Secret Blizzard against diplomatic, government, and defense-related targets. Microsoft’s latest analysis shows the malware has evolved significantly beyond its earlier monolithic structure into a modular ecosystem designed for operational resilience and stealth.
Rather than relying entirely on living-off-the-land binaries to evade detection, Secret Blizzard engineered stealth directly into Kazuar’s architecture. The malware separates responsibilities across multiple coordinated modules while limiting outbound communications to a single elected leader node, significantly reducing the network footprint generated by infected systems.
This architecture enables Secret Blizzard to maintain persistent access, coordinate tasking internally across infected hosts, and continue operations even if portions of the infrastructure fail or become isolated.
Delivery and Initial Execution
Kazuar is delivered through multiple dropper mechanisms. One observed method involves the Pelmeni dropper embedding an encrypted second-stage payload directly inside the executable as an encrypted byte array. In some cases, the payload is cryptographically tied to the target environment, such as the hostname, preventing execution outside the intended victim environment.
Another deployment method involves dropping a lightweight .NET loader configured as a COM object. The dropper decrypts the payload and supplies it to the loader for in-memory execution, reducing disk artifacts and improving evasion.
Core Module Architecture
Kazuar consists of three primary module types: Kernel, Bridge, and Worker. Each infected system requires all three modules locally to establish the full operational framework.
The Kernel module acts as the operational coordinator, managing Worker tasking, Bridge communications, configuration updates, and logging operations. It also performs extensive anti-analysis and sandbox checks during execution, including process inspection, canary file detection, and sandbox DLL checks.
Kazuar’s configuration system has expanded significantly and now supports approximately 150 configuration options spanning transport selection, injection methods, AMSI/WLDP/ETW bypasses, exfiltration timing, task management, file harvesting, keylogging, screenshot capture, MAPI email monitoring, and operational state tracking.
The malware supports internal IPC communications through Window Messaging, Mailslots, and named pipes. External communications can occur through HTTP, WebSockets, or Exchange Web Services, with redundant fallback communication paths built into the architecture.
Leadership Election and SILENT Mode
One of Kazuar’s most notable operational changes is its leadership election model. Only a single Kernel module within the malware ecosystem is elected as the active leader responsible for external communication through the Bridge module. All other Kernel instances enter SILENT mode and cease direct external communications.
Leadership elections occur over Mailslot IPC and are determined using runtime stability metrics, including uptime versus interruptions such as reboots or logoffs. Once elected, the leader distributes tasks internally to client Kernel modules over encrypted named pipes, allowing the malware to coordinate operations while minimizing externally observable traffic. This design reduces the likelihood of detection by consolidating outbound communications through a single elected leader rather than allowing every infected host to independently communicate with external infrastructure.
Bridge and Worker Operations
The Bridge module functions as the external communications proxy between the leader Kernel module and remote C2 infrastructure. It supports multiple communication transports and forwards requests through the configured transport mechanism while maintaining persistence until system shutdown.
Worker modules execute operational tasks including keylogging, screenshot capture, filesystem harvesting, window monitoring, MAPI data collection, system reconnaissance, and recent document collection. Collected information is encrypted locally and staged in the malware working directory prior to exfiltration. Kazuar also uses Google Protocol Buffers (Protobuf) for inter-module communications, enabling structured internal routing between modules and dynamic selection of transport methods for external communications.
Filesystem Staging and Persistence
Kazuar maintains a dedicated working directory that acts as a centralized staging location for operational data. The malware separates stored content by function, including task files, result files, logs, keylogger output, collected files, hashes, and configuration material. This structure allows Kazuar to preserve operational state across reboots or leadership changes while supporting asynchronous coordination between modules and reducing direct interaction with external infrastructure.
Detection and Operational Considerations
Kazuar’s modular design significantly complicates traditional malware analysis and detection workflows. The malware minimizes externally observable traffic by centralizing outbound communications through a single elected Kernel leader while distributing operational responsibilities internally through encrypted IPC mechanisms. The malware’s use of hidden Windows messaging, named pipes, Mailslots, Protobuf-based routing, staged filesystem operations, and redundant communication methods enables Secret Blizzard to maintain resilient access while reducing reliance on continuously active external infrastructure. Organizations defending against advanced espionage operations should focus not only on individual malware samples but also on the broader operational behaviors that sustain the malware lifecycle, including IPC coordination, leadership election behavior, staging directory activity, and periodic encrypted exfiltration patterns.
Who is Secret Blizzard?
Secret Blizzard is a long-running Russian state-sponsored cyber espionage threat actor attributed by CISA to Center 16 of Russia’s Federal Security Service (FSB), which is responsible for signals intelligence and computer network operations supporting Russian intelligence collection objectives. The threat actor is also known as Turla, Venomous Bear, Uroburos, Snake, Blue Python, WRAITH, and ATG26.
Secret Blizzard primarily targets ministries of foreign affairs, embassies, government agencies, defense organizations, defense contractors, diplomatic institutions, and research entities worldwide. The group focuses heavily on long-term intelligence collection and persistent access operations supporting Russian geopolitical and military objectives.
The actor is known for deploying modular malware families with resilient communication channels, encrypted internal messaging, memory-resident execution techniques, and fallback C2 mechanisms designed to preserve operational continuity even in degraded environments. Kazuar’s latest evolution further reinforces Secret Blizzard’s emphasis on stealth engineering, operational durability, and long-term persistence rather than rapid smash-and-grab intrusion activity.
Analyst Commentary
Kazuar’s progression into a modular espionage framework demonstrates how advanced state-sponsored threat actors continue evolving beyond traditional backdoors into resilient malware ecosystems engineered for stealth, survivability, and long-term operational access. Rather than depending exclusively on living-off-the-land binaries or short-duration campaigns, Secret Blizzard integrated redundancy, fallback communications, and distributed task coordination directly into the malware architecture itself.
The campaign also reinforces that defenders increasingly need visibility beyond single-file detections. Modular ecosystems like Kazuar generate fragmented telemetry across multiple processes, IPC mechanisms, staged filesystem activity, and intermittent network communications that may individually appear low confidence or benign in isolation.
PolySwarm’s marketplace of specialized detection engines and aggregated PolyScore model can help security teams identify low-consensus or evolving threats that may evade traditional single-engine approaches. Multi-engine analysis, behavioral insights, and sandbox-derived telemetry may provide additional visibility into modular malware ecosystems like Kazuar, where stealth, compartmentalization, and operational redundancy are core design objectives.
IOCs
PolySwarm has multiple samples associated with this activity.
69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4
c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9
6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d
436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85
Click here to view all samples of Kazuar in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.