Secret Blizzard / Turla — Kazuar evolved into three-module P2P botnet, European government / diplomatic / defence sectors in scope

Microsoft Threat Intelligence's 2026-05-14 deep-dive confirms Kazuar — long-attributed to Secret Blizzard / Turla (FSB Centre 16; aliases VENOMOUS BEAR, Snake, Uroburos, Blue Python, ATG26) — has evolved from a classic C2 backdoor into a three-module P2P botnet: Kernel (coordinator node, maintains botnet state and leadership election), Bridge (C2 relay proxy, communicates upstream via HTTP / WebSocket / Exchange Web Services to avoid direct C2 contact), and Worker (task executor, credential and file exfiltration). Leadership election minimises external traffic to reduce detection surface. Microsoft Threat Intelligence states historically documented targeting of organizations in the government and diplomatic sector in Europe and Central Asia; historical infrastructure overlap with Aqua Blizzard (Storm-0861) is documented (Microsoft Security Blog; daily 2026-05-16).

No named European victims have been publicly disclosed. The outstanding defender question for Swiss / EU public-sector environments: which of your federal / cantonal Exchange installations could carry EWS traffic from Kazuar-class infections without alerting? Detection focus: Windows Mailslot and Windows Messaging IPC anomalous cross-process traffic to system processes; EWS usage from non-mail-client processes (anomalous 4771 / 4769 Kerberos events on Exchange hosts); Exchange Web Services enumeration from non-mail-user-agent HTTP clients; outbound HTTPS to TLS-fingerprint patterns matching the Kernel / Bridge / Worker module split.