Secret Blizzard / Turla / FSB Centre 16 — Kazuar P2P botnet anatomy (Microsoft Threat Intelligence 2026-05-14)

Microsoft Threat Intelligence published on 2026-05-14 a detailed technical anatomy of the latest Kazuar implant generation, attributed to Secret Blizzard — the Russian state cluster CISA assesses as affiliated with Centre 16 of the FSB and previously tracked as Turla, Snake, Uroburos, Venomous Bear, and ATG26 (Microsoft Threat Intelligence, 2026-05-14 · The Hacker News, 2026-05-15). Kazuar has moved from a monolithic .NET backdoor into a three-module P2P ecosystem: Kernel (the single designated C2 relay per compromised environment, selected by a leadership-election algorithm that scores nodes on uptime divided by reboot count and confirms via Mailslot IPC), Bridge (relay nodes proxying between Kernel and the operator infrastructure), and Worker (leaf tasking nodes performing keylogging, screenshot capture, MAPI mailbox enumeration, file collection, and credential harvest). Inter-module IPC uses Windows Messaging and Mailslots; payload serialisation is Google Protocol Buffers. External C2 channels are HTTP, WebSocket Secure (WSS), and Exchange Web Services (EWS) — abusing the target's own mail infrastructure as a covert egress path. Configuration is unusually rich: ~150 distinct types across eight categories including AMSI / WLDP / ETW bypass switches, weekday-business-hours exfiltration windows (08:00–20:00 default), keylogger buffer sizes, and screenshot cadence. The Pelmeni dropper binds payloads to the target hostname via encryption keyed on the local machine name, preventing execution on analyst workstations. Microsoft documents that Secret Blizzard has been observed targeting systems in Ukraine previously compromised by Aqua Blizzard / Gamaredon — meaning any environment that has previously detected Gamaredon should treat Kazuar implant presence as a concurrent hypothesis (defender inference, not a Microsoft attribution claim). MITRE ATT&CK: T1095 Non-Application Layer Protocol (Mailslot IPC), T1071.001 Web Protocols (HTTP/WSS C2), T1114.002 Email Collection: Remote Email Collection (EWS/MAPI), T1056.001 Keylogging, T1090.001 Internal Proxy, T1027 Obfuscated Files (hostname-bound encryption), T1562.001 Disable or Modify Tools (AMSI/WLDP/ETW). Defender posture: rules looking for outbound beaconing on every infected host miss Kazuar by design — only the Kernel node calls out. Hunt for Mailslot creation events from non-standard processes (Sysmon EID 17/18), unsigned DLLs registered as LSA notification packages (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages), and programmatic EWS authentication from non-Exchange processes against the organisation's own mail servers.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

For every Jenkins controller running the Checkmarx Jenkins AST plugin: confirm installed plugin version; if 2026.5.09 was ever pulled (auto-update enabled, or manual install in window), declare a secrets-compromise incident, rotate every credential the runner could read (GitHub PATs, AWS / Azure / GCP access keys, Kubernetes service-account tokens, Docker registry credentials, SSH keys, Checkmarx One API tokens, and any LLM API keys exposed to CI), and audit any artefact built or deployed in the window. Pin the plugin to 2.0.13-829.vc72453fa_1c16 per Checkmarx's ongoing-security-updates page. Where the Jenkins platform supports it, migrate runners to OIDC-federated short-lived credentials so the next supply-chain compromise yields no usable secrets.