Modular Design and Targeting
A nation state threat group known as Secret Blizzard has significantly enhanced Kazuar, transforming it from a basic backdoor into a sophisticated, modular peer to peer botnet. The malware is engineered for long term covert espionage against high value government and diplomatic targets. Microsoft researchers detailed that Kazuar now operates as a structured ecosystem of three distinct modules, each performing a specific role within a compromised network. The group has targeted government ministries, embassies, defense departments, and diplomatic organizations across Europe and Central Asia.
Delivery and Data Collection
Kazuar is typically delivered through a dropper called Pelmeni, which contains an encrypted second stage payload. In some cases, this payload is bound to the target’s specific device, meaning it will only decrypt and run on that exact machine, making early detection extremely difficult. The malware collects a wide range of data, including keystrokes, screenshots, email content, browser data, running processes, and USB device information. All stolen data is encrypted, staged locally, and exfiltrated through carefully timed communication windows designed to blend with normal network traffic. Secret Blizzard has also been observed taking over systems in Ukraine that were previously compromised by another threat actor, reflecting a calculated and patient operational approach.
Source: Cyber Security News
