Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Avoid Detection

Nov 01, 2023NewsroomCyber ​​Threat / Malware

Anti-Analysis to Avoid Detection

The Russian-linked hacking crew known as Turla Observed using an updated version of a known second stage backdoor called Kazuar.

The new findings come from Palo Alto Networks Unit 42, which tracks the enemy under its constellation-themed moniker. Ursa thought.

“As revealed in the code of the upgraded revision of Kazuar, the authors put special emphasis on Kazuar’s ability to operate stealthily, avoid detection and thwart detection efforts,” the security researchers Daniel Frank and Tom Fakterman SAYS in a technical report.

“They do this using various advanced anti-analysis methods and by protecting the malware code with effective encryption and obfuscation practices.”

Pensive Ursa, active since at least 2004, is dedicated to the Russian Federal Security Service (FSB). Earlier this July, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated the threat group in attacks targeting the defense sector in Ukraine and Eastern Europe with backdoors such as DeliveryCheck and Kazuar.


Kazuar is a .NET-based implant that first became known in 2017 for its abilities to secretly interact with compromised hosts and exfiltrate data. In January 2021, Kaspersky highlighted the source code overlap between the malware strain and Sunburst, another backdoor used in conjunction with the SolarWinds hack in 2020.

Kazuar’s developments show that the threat actor behind the operation continues to improve its attack methods and grow in sophistication, while expanding its ability to control victims’ systems. This includes the use of strong obfuscation and conventional string encryption methods to avoid detection.

“Kazuar operates in a multithreading model, while each of the main functions of Kazuar operates as its own thread,” the researchers explained.

Anti-Analysis to Avoid Detection

“In other words, a thread is in charge of receiving commands or tasks from it (command-and-control), while a solver thread is in charge of executing these commands. This multithreading model enables the Kazuar authored the construction of an asynchronous and modular flow control.”

The malware supports a wide range of features – jumping from 26 commands in 2017 to 45 in the latest variant – which facilitates comprehensive system profiling, data collection, credential theft, file manipulation , and arbitrary enforcement of the order.

It also includes capabilities to set up automatic tasks that run at specific intervals to collect system data, take screenshots, and extract files from particular folders. Communication with C2 servers takes place over HTTP.


“In addition to direct HTTP communication with C2, Kazuar has the ability to act as a proxy, to receive and send commands to other Kazuar agents in the infected network,” the researchers said.

“This proxy communication is done by named pipes, creating their names based on the machine’s GUID. Kazuar uses these pipes to establish peer-to-peer communication between different Kazuar instances, each configured as a server or client.”

In addition, extensive anti-analysis functionalities lend Kazuar a high level of stealth, ensuring that it remains idle and stops all C2 communications when it is being debugged or analyzed.

The development comes as Kaspersky Revelation that several Russian state and industrial organizations were targeted by a custom Go-based backdoor that carried out data theft as part of a spear-phishing campaign that began in June 2023. The threat actor behind the operation is currently unknown.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment