Turla STOCKSTAY — four-component .NET backdoor (Kazuar lineage) for diplomatic intelligence collection

Microsoft Threat Intelligence's 2026-05-14 deep-dive confirms Kazuar — long-attributed to Secret Blizzard / Turla (FSB Centre 16; aliases VENOMOUS BEAR, Snake, Uroburos, Blue Python, ATG26) — has evolved from a classic C2 backdoor into a three-module P2P botnet: Kernel (coordinator node, maintains botnet state and leadership election), Bridge (C2 relay proxy, communicates upstream via HTTP / WebSocket / Exchange Web Services to avoid direct C2 contact), and Worker (task executor, credential and file exfiltration). Leadership election minimises external traffic to reduce detection surface. Microsoft Threat Intelligence states historically documented targeting of organizations in the government and diplomatic sector in Europe and Central Asia; historical infrastructure overlap with Aqua Blizzard (Storm-0861) is documented (Microsoft Security Blog; daily 2026-05-16).

No named European victims have been publicly disclosed. The outstanding defender question for Swiss / EU public-sector environments: which of your federal / cantonal Exchange installations could carry EWS traffic from Kazuar-class infections without alerting? Detection focus: Windows Mailslot and Windows Messaging IPC anomalous cross-process traffic to system processes; EWS usage from non-mail-client processes (anomalous 4771 / 4769 Kerberos events on Exchange hosts); Exchange Web Services enumeration from non-mail-user-agent HTTP clients; outbound HTTPS to TLS-fingerprint patterns matching the Kernel / Bridge / Worker module split.

Microsoft Threat Intelligence published on 2026-05-14 a detailed technical anatomy of the latest Kazuar implant generation, attributed to Secret Blizzard — the Russian state cluster CISA assesses as affiliated with Centre 16 of the FSB and previously tracked as Turla, Snake, Uroburos, Venomous Bear, and ATG26 (Microsoft Threat Intelligence, 2026-05-14 · The Hacker News, 2026-05-15). Kazuar has moved from a monolithic .NET backdoor into a three-module P2P ecosystem: Kernel (the single designated C2 relay per compromised environment, selected by a leadership-election algorithm that scores nodes on uptime divided by reboot count and confirms via Mailslot IPC), Bridge (relay nodes proxying between Kernel and the operator infrastructure), and Worker (leaf tasking nodes performing keylogging, screenshot capture, MAPI mailbox enumeration, file collection, and credential harvest). Inter-module IPC uses Windows Messaging and Mailslots; payload serialisation is Google Protocol Buffers. External C2 channels are HTTP, WebSocket Secure (WSS), and Exchange Web Services (EWS) — abusing the target's own mail infrastructure as a covert egress path. Configuration is unusually rich: ~150 distinct types across eight categories including AMSI / WLDP / ETW bypass switches, weekday-business-hours exfiltration windows (08:00–20:00 default), keylogger buffer sizes, and screenshot cadence. The Pelmeni dropper binds payloads to the target hostname via encryption keyed on the local machine name, preventing execution on analyst workstations. Microsoft documents that Secret Blizzard has been observed targeting systems in Ukraine previously compromised by Aqua Blizzard / Gamaredon — meaning any environment that has previously detected Gamaredon should treat Kazuar implant presence as a concurrent hypothesis (defender inference, not a Microsoft attribution claim). MITRE ATT&CK: T1095 Non-Application Layer Protocol (Mailslot IPC), T1071.001 Web Protocols (HTTP/WSS C2), T1114.002 Email Collection: Remote Email Collection (EWS/MAPI), T1056.001 Keylogging, T1090.001 Internal Proxy, T1027 Obfuscated Files (hostname-bound encryption), T1562.001 Disable or Modify Tools (AMSI/WLDP/ETW). Defender posture: rules looking for outbound beaconing on every infected host miss Kazuar by design — only the Kernel node calls out. Hunt for Mailslot creation events from non-standard processes (Sysmon EID 17/18), unsigned DLLs registered as LSA notification packages (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages), and programmatic EWS authentication from non-Exchange processes against the organisation's own mail servers.