Turla turns Kazuar into modular P2P botnet

Microsoft reported that the Russian state-linked group Turla has reworked its Kazuar .NET backdoor into a modular peer-to-peer (P2P) botnet. The findings, published Thursday, describe a three-component architecture labeled Kernel, Bridge and Worker. U.S. authorities, including CISA, link Turla to Center 16 of Russia’s FSB.

The Kernel module acts as the botnet coordinator. It contacts command-and-control servers to poll for tasks, parses instructions, assigns work to Worker modules and updates configuration. Kernel also performs anti-analysis checks, maintains logs and sets parameters that control C2 settings and exfiltration timing.

Kernel instances use three internal communication methods-Windows Messaging, Mailslot and named pipes-and can contact attacker infrastructure using Exchange Web Services, HTTP and WebSockets. The system elects a single Kernel leader that speaks to the Bridge on behalf of other Kernels. Elections take place over Mailslot and use a metric based on runtime divided by interrupts such as reboots, logoffs or terminated processes. Once elected, the leader instructs other Kernel modules to remain silent, allowing the leader alone to request tasks and record activity through the Bridge.

The Bridge functions as a proxy between the Kernel leader and external C2 servers. Worker modules perform data collection on compromised hosts: they log keystrokes, hook Windows events, gather system and file information, and extract Messaging Application Programming Interface (MAPI) data. Workers aggregate and encrypt collected data before writing it to an on-disk staging area defined in the malware configuration.

Kazuar uses a dedicated working directory referenced by fully qualified paths so modules can coordinate across restarts and different execution contexts. Operational files are organized by function inside that directory, separating tasking, collection output, logs and configuration. That arrangement lets the botnet maintain state between reboots and decouple task execution from data storage and exfiltration.

Microsoft’s report notes attackers have deployed the modular Kazuar via droppers such as Pelmeni and ShadowLoader that decrypt and launch components. The modular design distributes roles across components and supports multiple internal channels and external protocols.

Turla has a history of long-running operations targeting government, diplomatic and defense entities in Europe and Central Asia. CISA and Microsoft linked the group to several tracked aliases and noted instances where Turla reused access left by other Russian-linked teams. The published technical findings document the architecture, communications methods and deployment mechanisms observed in recent Kazuar activity.