Overview
- Microsoft reports Kazuar now runs as three modules—Kernel, Bridge, and Worker—under the Russian-linked Secret Blizzard/Turla group that U.S. officials associate with FSB Center 16.
- The Kernel component elects one leader based on run time versus interruptions so only that host talks outward while others stay silent.
- The Bridge module proxies all external traffic to command servers using Exchange Web Services, HTTP, or WebSockets to look like normal network use.
- The Worker module performs spying tasks such as keylogging, screenshots, file and email collection, then encrypts and stages data in a dedicated on-disk folder for later upload.
- Researchers detail about 150 configuration options plus built-in bypasses for AMSI, ETW, and WLDP, and advise defenders to focus on behavior like peer messaging, staging folders, and proxy patterns over static indicators.