**Secret Blizzard**, known for its overlaps with groups like **Turla**, **Uroburos**, and **Venomous Bear**, is believed to be associated with the Russian intelligence service (FSB). The group is notorious for targeting government and diplomatic entities, defense-related organizations, and critical infrastructure across Europe, Asia, and Ukraine. **Kazuar** has been documented since 2017, with code lineage tracing back to 2005. Its activities have been linked to the **Turla** espionage group, which is also suspected of working for the FSB. The malware was previously observed in attacks targeting European government organizations in 2020 and Ukraine in 2023. ### Kazuar's New Architecture Researchers at **Microsoft** have analyzed a recent variant of **Kazuar**, revealing a modular design comprising three distinct components: Kernel, Bridge, and Worker. * **Kernel Module**: Serves as the central coordinator, managing tasks, controlling other modules, electing a leader node, and orchestrating communication and data flow within the botnet. * **Bridge Module**: Acts as the external communication proxy, relaying traffic between the elected Kernel leader and the remote command-and-control (C2) infrastructure. This module supports protocols such as HTTP, WebSockets, and Exchange Web Services (EWS). * **Worker Module**: Executes the actual espionage operations, including keylogging, screenshot capture, data harvesting from the filesystem, system and network reconnaissance, email/MAPI data collection (including **Outlook** downloads), window monitoring, and recent file exfiltration. The leader election process is internal and autonomous, based on metrics like uptime, reboot frequency, and interruption counts. Non-leader systems operate in a "silent" mode, avoiding direct communication with the C2 server to enhance stealth and reduce the attack surface. "The Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts," explains **Microsoft**.  *Kazuar's internal communications diagram (Source: Microsoft)* Internal communications rely on IPC (inter-process communication) mechanisms, including Windows Messaging, Mailslots, and named pipes, blending in with normal system activity. Messages are AES-encrypted and serialized using Google Protocol Buffers (Protobuf).  *Types of system info Kazuar collects (Source: Microsoft)* **Microsoft** emphasizes **Kazuar's** flexibility, noting that it now supports over 150 configuration options. These options allow operators to enable/disable specific security bypasses, schedule tasks, control data theft timing and exfiltration chunk sizes, perform process injection, and manage task and command execution. Security bypass capabilities now include Antimalware Scan Interface (**AMSI**) bypass, Event Tracing for Windows (**ETW**) bypass, and Windows Lockdown Policy (**WLDP**) bypass. ### Mitigation Strategies **Secret Blizzard** typically aims for long-term persistence on compromised systems to facilitate ongoing intelligence gathering, focusing on documents and email content of political significance. **Microsoft** advises organizations to prioritize behavioral detection methods over static signatures, given **Kazuar's** modular architecture and highly configurable nature, which makes it exceptionally evasive.