Command & Evade: Turla's Kazuar v3 Loader
Essential information
- Published
- 15/01/2026 15:21
- Modified
- 15/01/2026 15:40
- Tags
- 2026-01-15 amsi bypass etw bypass evasion in-memory execution kazuar loader stealth
- Related entities
- 15 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 6 others
Description
Turla's Kazuar v3 loader employs sophisticated techniques to evade detection. It uses a VBScript to drop files and execute a native loader, which bypasses security measures and leverages COM for stealth. The loader utilizes control flow redirection, patchless ETW and AMSI bypasses, and COM integration to decrypt and execute three Kazuar v3 payloads (KERNEL, WORKER, BRIDGE) in memory. The attack chain is designed to be resilient and stealthy, exploiting trusted system processes to avoid detection. The malware uses modular architecture and COM subsystem integration to maintain a low profile while carrying out its malicious activities.