Kazuar: Anatomy of a nation-state botnet

What Happened

Russian state-sponsored hackers known as Secret Blizzard are using an advanced malware called Kazuar to spy on government and diplomatic organizations. The malware has evolved into a complex network of infected computers that communicate with each other, electing a single 'leader' to talk to the hackers, which helps hide their activity. This allows the attackers to maintain long-term, stealthy access to steal sensitive documents and emails. Organizations should ensure their security tools are fully updated and configured to block suspicious scripts and network traffic.

Key Takeaways

• Kazuar has evolved into a highly modular P2P botnet ecosystem consisting of Kernel, Bridge, and Worker modules.
• The malware uses a 'leader election' mechanism to restrict external C2 communications to a single node, significantly reducing its observable footprint.
• Internal communication relies on Mailslots, Window Messaging, and Named Pipes, while external C2 uses HTTP, WebSockets, or Exchange Web Services (EWS).
• Kazuar employs extensive configuration options for evasion, including AMSI, ETW, and WLDP bypasses.
• Data collection is highly structured, utilizing a dedicated working directory to stage encrypted files before exfiltration.

Affected Systems

• Windows

Attack Chain

Kazuar is initially delivered via droppers like Pelmeni or ShadowLoader, which deploy a .NET loader to execute the encrypted payload. Once active, the malware splits into Kernel, Bridge, and Worker modules, establishing a P2P network via Mailslots and Window Messaging. A leader Kernel is elected to handle all external C2 communication via HTTP, WSS, or EWS, while delegating tasks to Worker modules. The Workers collect system data, log keystrokes, and steal files, staging them in a dedicated working directory before the Bridge module exfiltrates the data to the C2 server.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Microsoft Defender

Microsoft Defender provides native detections for Kazuar components (e.g., KazuarLoader, ShadowLoader) and Secret Blizzard actor activity, but no raw queries or rules are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions with visibility into IPC mechanisms (Mailslots, Named Pipes, Window Messaging) and process injection can detect the modular interactions and evasion techniques. Network Visibility: Medium — External C2 is restricted to a single leader node and uses standard protocols (HTTP, WSS, EWS), making it blend with normal traffic, though internal P2P communication might be visible if network sensors monitor host-to-host traffic. Detection Difficulty: Hard — The malware uses extensive evasion (AMSI/ETW bypass), modular architecture, and restricts external C2 to a single node, significantly reducing its observable footprint.

Required Log Sources

• Process Creation
• File Creation
• Named Pipe Creation
• Network Connections

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for anomalous named pipe creation matching the pattern of an MD5 hash (e.g., 32 hex characters) used for inter-process communication.	Named Pipe Creation	Execution	Low
Evaluate whether hidden windows are being registered with class names matching suspicious module names for Window Messaging IPC.	API Calls / Window Registration	Execution	Medium
Look for unusual Mailslot creation events, particularly those with names derived from MD5 hashes.	File Creation / IPC	Execution	Low
Investigate processes making unexpected outbound connections to Exchange Web Services (EWS) endpoints, especially if the process is not a standard email client.	Network Connections	Command and Control	Medium

Control Gaps

• Lack of IPC monitoring (Mailslots, Window Messaging)
• Insufficient ETW/AMSI tamper protection

Key Behavioral Indicators

• Creation of Mailslots with MD5-hashed names
• Named pipes with 32-character hex names
• Processes registering hidden windows for IPC
• AMSI/ETW bypass attempts in memory

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking execution of potentially obfuscated scripts and process creations originating from PSExec and WMI commands.
• Evaluate whether to block executable files from running unless they meet prevalence, age, or trusted list criteria.

Infrastructure Hardening

• Consider implementing Attack Surface Reduction (ASR) rules to harden the environment against common threat actor techniques.
• Evaluate enabling network protection and tamper protection in your endpoint security solutions.
• If applicable, implement PowerShell execution policies to control script loading and enable module/script block logging.

User Protection

• Consider encouraging the use of web browsers that support features like SmartScreen to block malicious websites.
• Evaluate running EDR in block mode to ensure malicious artifacts are stopped even if primary AV fails.

Security Awareness

• Consider training users on the risks of phishing and malicious downloads, which are common initial access vectors for droppers.

MITRE ATT&CK Mapping

• T1090.001 - Proxy: Internal Network Routing
• T1573.001 - Encrypted Channel: Symmetric Cryptography
• T1071.001 - Application Layer Protocol: Web Protocols
• T1071.003 - Application Layer Protocol: Mail Protocols
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1056.001 - Input Capture: Keylogging
• T1113 - Screen Capture
• T1074.001 - Data Staged: Local Data Staging
• T1559 - Inter-Process Communication

Additional IOCs

• File Paths:
  • \\.\pipe\82760B84F1D703D596C79B88BA4FAC1E - Default named pipe for Kernel-to-Kernel communication, derived from MD5 of pipename-kernel-<Bot version>