Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope

Microsoft Threat Intelligence published on 2026-05-14 a detailed technical anatomy of the latest Kazuar implant generation, attributed to Secret Blizzard — the Russian state cluster CISA assesses as affiliated with Centre 16 of the FSB and previously tracked as Turla, Snake, Uroburos, Venomous Bear, and ATG26 (Microsoft Threat Intelligence, 2026-05-14 · The Hacker News, 2026-05-15). Kazuar has moved from a monolithic .NET backdoor into a three-module P2P ecosystem: Kernel (the single designated C2 relay per compromised environment, selected by a leadership-election algorithm that scores nodes on uptime divided by reboot count and confirms via Mailslot IPC), Bridge (relay nodes proxying between Kernel and the operator infrastructure), and Worker (leaf tasking nodes performing keylogging, screenshot capture, MAPI mailbox enumeration, file collection, and credential harvest). Inter-module IPC uses Windows Messaging and Mailslots; payload serialisation is Google Protocol Buffers. External C2 channels are HTTP, WebSocket Secure (WSS), and Exchange Web Services (EWS) — abusing the target's own mail infrastructure as a covert egress path. Configuration is unusually rich: ~150 distinct types across eight categories including AMSI / WLDP / ETW bypass switches, weekday-business-hours exfiltration windows (08:00–20:00 default), keylogger buffer sizes, and screenshot cadence. The Pelmeni dropper binds payloads to the target hostname via encryption keyed on the local machine name, preventing execution on analyst workstations. Microsoft documents that Secret Blizzard has been observed targeting systems in Ukraine previously compromised by Aqua Blizzard / Gamaredon — meaning any environment that has previously detected Gamaredon should treat Kazuar implant presence as a concurrent hypothesis (defender inference, not a Microsoft attribution claim). MITRE ATT&CK: T1095 Non-Application Layer Protocol (Mailslot IPC), T1071.001 Web Protocols (HTTP/WSS C2), T1114.002 Email Collection: Remote Email Collection (EWS/MAPI), T1056.001 Keylogging, T1090.001 Internal Proxy, T1027 Obfuscated Files (hostname-bound encryption), T1562.001 Disable or Modify Tools (AMSI/WLDP/ETW). Defender posture: rules looking for outbound beaconing on every infected host miss Kazuar by design — only the Kernel node calls out. Hunt for Mailslot creation events from non-standard processes (Sysmon EID 17/18), unsigned DLLs registered as LSA notification packages (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages), and programmatic EWS authentication from non-Exchange processes against the organisation's own mail servers.