Secret Blizzard / Turla (FSB Centre 16) — Kazuar evolves into three-module P2P botnet [SINGLE-SOURCE: Microsoft]

Microsoft's 2026-05-14 analysis documents Kazuar's architectural evolution: three distinct modules — Kernel (core backdoor), Bridge (P2P relay mesh using victim machines as C2 relay infrastructure), and Worker (staged deployment and task execution). The P2P mesh eliminates reliance on single-hop CDN-based C2, dramatically improving Secret Blizzard's resilience to sinkholing and domain takedowns. This follows the broader pattern of state-sponsored operators rebuilding after the 2024–2025 takedown cycle. Defender implication: network-level C2 blocking becomes insufficient; behavioural detection on Kernel backdoor staging sequences and lateral-movement TTPs (T1021.002 SMB, T1055 process injection) is the only reliable detection layer.