216.73.217.80

Kazuar: Anatomy of a nation-state botnet

· Published 14/05/2026 22:10 · Modified 15/05/2026 19:14

Export JSON

Essential information

Published
14/05/2026 22:10
Modified
15/05/2026 19:14
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
c2 infrastructure diplomatic targeting espionage kazuar modular architecture nation-state peer-to-peer botnet pelmeni russia fsb
Tags
2026-05-14 c2 infrastructure diplomatic targeting espionage kazuar modular architecture nation-state peer-to-peer botnet pelmeni russia fsb
Related entities
4 indicators, 4 observables, 1 intrusion sets (apt), 24 techniques (mitre), 2 malware, 3 others

Description

is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.

External references