Threat Intelligence Turla group evolves Kazuar backdoor into modular P2P botnet May 18, 2026 Share By SC Staff The Russian state-sponsored hacking group Turla has updated its custom backdoor, Kazuar, transforming it into a modular peer-to-peer botnet designed for stealth and persistent access. This evolution aligns with the group's objective of long-term intelligence gathering, enhancing its capabilities for sophisticated cyber operations, with further coverage provided by The Hacker News. Turla, also known as Secret Blizzard and linked to Russia's FSB, has re-engineered its Kazuar .NET backdoor, first used in 2017, into a modular botnet. This new architecture features three distinct components: Kernel, Bridge, and Worker. The Kernel module acts as the central coordinator, managing tasks, communication, and anti-analysis checks. The Bridge module serves as a proxy to the command-and-control (C2) server, while the Worker module handles data collection, including keystrokes and system information. This modular design allows for flexible configuration, reduces the malware's footprint, and facilitates broad tasking. Attacks leveraging this updated Kazuar have been observed using droppers like Pelmeni and ShadowLoader. The Kernel module can elect a leader to manage communications and tasking, using methods like Windows Messaging, Mailslot, and named pipes for internal communication, and Exchange Web Services, HTTP, and WebSockets for external C2 contact. Data collected by the Worker is aggregated, encrypted, and exfiltrated via a dedicated working directory. Source: The Hacker News SC Staff Related Threat Intelligence ESET details new Ghostwriter activity targeting Ukrainian government SC Staff May 15, 2026 The latest FrostyNeighbor campaign begins with a spear-phishing email containing a PDF attachment disguised as an official communication from Ukrtelecom, a major Ukrainian telecommunications provider. Threat Intelligence Alleged Dream Market administrator indicted on money laundering charges SC Staff May 14, 2026 Owe Martin Andresen, 49, faces six counts each of international concealment money laundering and concealment money laundering, potentially leading to 20 years in prison per charge. Threat Intelligence ShinyHunters claims domain suspension after Canvas LMS attacks SC Staff May 13, 2026 The group's domain, shinyhunte.rs, went offline on Monday, May 11, 2026, leading to rumors of law enforcement seizure, potentially involving the FBI. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Backdoor Business Email Compromise (BEC) Deauthentication Attack Dictionary Attack Distributed Scans Dumpster Diving Hybrid Attack Information Warfare Password Cracking You can skip this ad in 5 seconds