Secret Blizzard / Turla / FSB Centre 16 — Kazuar P2P botnet anatomy (Microsoft Threat Intelligence 2026-05-14)

If you did nothing this week: any site running the ShapedPlugin Pro plugins that auto-updated through the licensed channel pulled backdoor code straight from the vendor — patch level was no defence, because the trusted distribution pipeline itself was the attacker. The malicious LicenseLoader.php loads inside the WordPress admin panel, fetches a second stage, installs it as a fake plugin and self-deletes to frustrate forensics.

Wordfence disclosed on 2026-06-22 that an attacker breached ShapedPlugin's build and Easy Digital Downloads distribution pipeline and injected backdoor code into the Pro (paid) releases of three plugins, served through official update channels. The implant harvests credentials and 2FA secrets and drops a web shell (BleepingComputer). For a public-sector or education estate that runs WordPress behind a CMS team, the hunt is for the fake-plugin artefact and unexpected LicenseLoader.php execution in the admin context, plus credential/2FA rotation for any admin who logged in during the exposure window — not merely "update the plugin." (daily 06-23)

Wordfence disclosed on 2026-06-22 that an attacker breached the build and Easy Digital Downloads (EDD) distribution pipeline of plugin vendor ShapedPlugin and injected backdoor code into the Pro (paid) releases of three products — Product Slider Pro for WooCommerce (before 3.5.4), Real Testimonials Pro (fixed in 3.2.5) and Smart Post Show Pro (before 4.0.2) — tracked as CVE-2026-10735 (Wordfence, 2026-06-22; BleepingComputer, 2026-06-22). The free versions hosted on the WordPress.org repository were not affected — only the licensed Pro updates pushed through EDD between roughly 21 May and 12–16 June carried the injection. The malicious code planted a LicenseLoader.php stub that executes when an administrator loads any wp-admin page; it calls out to a C2, downloads a second-stage payload, installs it as a hidden fake plugin (masquerading as woocommerce-subscription / woocommerce-notification), reports the victim domain, then deletes itself to frustrate forensics (The Hacker News, 2026-06-22). The second stage steals WordPress admin credentials, 2FA TOTP secrets, wp-config.php salts and database credentials, and maintains persistence through hidden REST API endpoints. Timestamp analysis pointed to an automated injection touching only four files inside a two-hour window — consistent with a pipeline-level compromise rather than manual tampering.

Why it matters to us: This is the "trusted update channel" supply-chain pattern again (cf. the W25 OptinMonster strand), and the operational consequence is that patching is not remediation — Wordfence's guidance is to treat any site that installed an affected Pro update as fully compromised. Detection concepts (no IOCs): hunt for a LicenseLoader.php in plugin directories; for installed plugins named woocommerce-subscription / woocommerce-notification that do not appear in the admin plugin list; for php-fpm/apache2/nginx child processes making outbound connections (Sysmon EID 1 with a web-server parent image, or auditd execve on PHP workers); and for wp_users rows with administrator role created after ~21 May. Mapped to T1195.002 Compromise Software Supply Chain, T1505.003 Server Software Component: Web Shell, T1552.001 Unsecured Credentials: Credentials In Files. Remediation: update to the fixed Pro versions, then rotate all WordPress secrets — admin passwords, 2FA, DB credentials and wp-config.php salts — and review the WooCommerce order/SMTP-credential exposure.

On 2026-06-03 the five Five Eyes domestic intelligence agencies (ASIO, CSIS, FBI, MI5, NZSIS) released a joint bulletin warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate cleared personnel, academics, researchers and defence/policy staff (MI5; The Record, 2026-06-03; daily 2026-06-06). The tradecraft: operatives pose as recruiters or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Switzerland — outside Five Eyes but a hub for international organisations, financial regulation, and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression and give them a low-friction route to report unsolicited foreign-recruitment contact.

Microsoft Threat Intelligence's 2026-05-14 deep-dive confirms Kazuar — long-attributed to Secret Blizzard / Turla (FSB Centre 16; aliases VENOMOUS BEAR, Snake, Uroburos, Blue Python, ATG26) — has evolved from a classic C2 backdoor into a three-module P2P botnet: Kernel (coordinator node, maintains botnet state and leadership election), Bridge (C2 relay proxy, communicates upstream via HTTP / WebSocket / Exchange Web Services to avoid direct C2 contact), and Worker (task executor, credential and file exfiltration). Leadership election minimises external traffic to reduce detection surface. Microsoft Threat Intelligence states historically documented targeting of organizations in the government and diplomatic sector in Europe and Central Asia; historical infrastructure overlap with Aqua Blizzard (Storm-0861) is documented (Microsoft Security Blog; daily 2026-05-16).

No named European victims have been publicly disclosed. The outstanding defender question for Swiss / EU public-sector environments: which of your federal / cantonal Exchange installations could carry EWS traffic from Kazuar-class infections without alerting? Detection focus: Windows Mailslot and Windows Messaging IPC anomalous cross-process traffic to system processes; EWS usage from non-mail-client processes (anomalous 4771 / 4769 Kerberos events on Exchange hosts); Exchange Web Services enumeration from non-mail-user-agent HTTP clients; outbound HTTPS to TLS-fingerprint patterns matching the Kernel / Bridge / Worker module split.

Microsoft Threat Intelligence published on 2026-05-14 a detailed technical anatomy of the latest Kazuar implant generation, attributed to Secret Blizzard — the Russian state cluster CISA assesses as affiliated with Centre 16 of the FSB and previously tracked as Turla, Snake, Uroburos, Venomous Bear, and ATG26 (Microsoft Threat Intelligence, 2026-05-14 · The Hacker News, 2026-05-15). Kazuar has moved from a monolithic .NET backdoor into a three-module P2P ecosystem: Kernel (the single designated C2 relay per compromised environment, selected by a leadership-election algorithm that scores nodes on uptime divided by reboot count and confirms via Mailslot IPC), Bridge (relay nodes proxying between Kernel and the operator infrastructure), and Worker (leaf tasking nodes performing keylogging, screenshot capture, MAPI mailbox enumeration, file collection, and credential harvest). Inter-module IPC uses Windows Messaging and Mailslots; payload serialisation is Google Protocol Buffers. External C2 channels are HTTP, WebSocket Secure (WSS), and Exchange Web Services (EWS) — abusing the target's own mail infrastructure as a covert egress path. Configuration is unusually rich: ~150 distinct types across eight categories including AMSI / WLDP / ETW bypass switches, weekday-business-hours exfiltration windows (08:00–20:00 default), keylogger buffer sizes, and screenshot cadence. The Pelmeni dropper binds payloads to the target hostname via encryption keyed on the local machine name, preventing execution on analyst workstations. Microsoft documents that Secret Blizzard has been observed targeting systems in Ukraine previously compromised by Aqua Blizzard / Gamaredon — meaning any environment that has previously detected Gamaredon should treat Kazuar implant presence as a concurrent hypothesis (defender inference, not a Microsoft attribution claim). MITRE ATT&CK: T1095 Non-Application Layer Protocol (Mailslot IPC), T1071.001 Web Protocols (HTTP/WSS C2), T1114.002 Email Collection: Remote Email Collection (EWS/MAPI), T1056.001 Keylogging, T1090.001 Internal Proxy, T1027 Obfuscated Files (hostname-bound encryption), T1562.001 Disable or Modify Tools (AMSI/WLDP/ETW). Defender posture: rules looking for outbound beaconing on every infected host miss Kazuar by design — only the Kernel node calls out. Hunt for Mailslot creation events from non-standard processes (Sysmon EID 17/18), unsigned DLLs registered as LSA notification packages (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages), and programmatic EWS authentication from non-Exchange processes against the organisation's own mail servers.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

For every Jenkins controller running the Checkmarx Jenkins AST plugin: confirm installed plugin version; if 2026.5.09 was ever pulled (auto-update enabled, or manual install in window), declare a secrets-compromise incident, rotate every credential the runner could read (GitHub PATs, AWS / Azure / GCP access keys, Kubernetes service-account tokens, Docker registry credentials, SSH keys, Checkmarx One API tokens, and any LLM API keys exposed to CI), and audit any artefact built or deployed in the window. Pin the plugin to 2.0.13-829.vc72453fa_1c16 per Checkmarx's ongoing-security-updates page. Where the Jenkins platform supports it, migrate runners to OIDC-federated short-lived credentials so the next supply-chain compromise yields no usable secrets.