Researchers Uncover a New Version of Kazuar Backdoor | Cyware Hacker News

The Russian-linked Turla hacking group has been observed using a new version of Kazuar backdoor to expand its attacks. The new findings come from Palo Alto Networks Unit 42, which has been tracking the adversary under the name Pensive Ursa.

According to researchers, the malware has been spotted in the wild after years of hiatus and shows significant improvement in its code structure and functionality.

More about the new Kazuar variant

The new version of the Kazuar backdoor supports over 40 distinct commands, half of which are previously undocumented.

  • These commands can enable attackers to steal sensitive data from various browsers, take screenshots from victims’ systems, get system information, manipulate files, and execute VBScript and PowerShell scripts. 
  • Other notable features include robust code and string obfuscation techniques, a multithread model for enhanced performance, and a range of encryption schemes used during the transmission of pilfered data to C2 servers. 
  • It is, further, noted that the malware leverages a function called ‘named pipes’ to establish peer-to-peer communication between Kazuar instances.

A glance at recent attacks using Kazuar

Kazuar malware first appeared in 2017 and made its comeback in July as Ukraine-CERT shared details of a phishing campaign that used the backdoor along with the Capibar malware to target the Ukrainian military. In the campaign, Kazuar performed credential theft while Capibar was used for intelligence gathering.


The upgraded version of Kazuar reveals that Turla APT is making consistent efforts to operate in stealth mode and thwart analysis. As threat actor group expands their arsenal to launch high-profile attacks, with some of them recently launched against international government agencies, organizations must exercise caution in detecting and blocking threats targeting their critical assets and infrastructures.