Stealth Mandate: Turla’s New P2P Architecture Mutes Compromised Hosts to Evade Network Defenses

The Russian state-sponsored hacking group known as Turla has upgraded its custom backdoor, Kazuar, into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised systems. Turla is associated with Center 16 of Russia's Federal Security Service (FSB) and is recognized under various names by the cybersecurity community, including ATG26, Blue Python, and Waterbug. The group is notorious for targeting government, diplomatic, and defense sectors in Europe and Central Asia, as well as systems previously compromised by other hacking groups to further the Kremlin's strategic goals. The recent upgrade of Kazuar aligns with Turla's broader objective of maintaining long-term access to systems for intelligence gathering. According to the Microsoft Threat Intelligence team, this transformation into a modular bot highlights Turla's efforts to build resilience and stealth into their tools. Unlike many threat actors who rely on native tools to avoid detection, Turla has engineered Kazuar to be a more sophisticated and adaptable tool in their cyber arsenal. Kazuar, a .NET backdoor used since 2017, has evolved from a monolithic framework into a modular bot ecosystem with three distinct components: Kernel, Bridge, and Worker. Each module has specific roles, allowing for flexible configuration, a reduced observable footprint, and broad tasking capabilities. This modular approach enhances the botnet's ability to remain undetected and maintain persistent access to compromised hosts. The Kernel module acts as the central coordinator, issuing tasks to Worker modules, managing communication with the Bridge module, and maintaining logs of actions and collected data. It performs anti-analysis checks and sets up the environment for command-and-control (C2) communication, data exfiltration, and task management. The Bridge module serves as a proxy between the Kernel and the C2 server, while the Worker module logs keystrokes, tracks tasks, and gathers system information. Communication within the botnet is facilitated through Windows Messaging, Mailslot, and named pipes, with external communication via Exchange Web Services, HTTP, and WebSockets. The Kernel module elects a leader to communicate with the Bridge module, ensuring efficient task management and data exfiltration. This election process is based on the module's runtime and interruptions, allowing the leader to manage tasks and maintain operational state across restarts. The Kernel's primary goal is to poll new tasks from the C2 server, assign them to the Worker, and send task results back to the server. The Worker module aggregates and encrypts collected data, storing it in a dedicated working directory for exfiltration. This directory is organized to isolate tasking, collection output, logs, and configuration materials, allowing the malware to maintain operational state and coordinate activities across modules. Kazuar's design minimizes direct interaction with external infrastructure by decoupling task execution from data storage and exfiltration. This approach supports asynchronous activity between modules and maintains the botnet's stealth and persistence. The sophisticated architecture of Kazuar underscores Turla's commitment to developing advanced cyber tools that support their strategic objectives.