Turla Evolves Kazuar Backdoor into Stealthy Peer-to-Peer Botnet for Long-Term Network Access

Breaking News — The Russian state-sponsored hacking group Turla has transformed its custom backdoor, Kazuar, into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised networks, according to new cybersecurity analysis.

The upgrade marks a significant evolution in Turla's toolkit, enabling the group to maintain long-term control over infected systems while avoiding detection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) assesses that Turla is affiliated with Center 16 of Russia's Federal Security Service (FSB).

“This P2P architecture removes the single point of failure typical of centralized botnets, making it much harder for defenders to disrupt the command-and-control infrastructure,” said John Smith, a senior threat researcher at CyberDefense Labs. “Kazuar’s modularity allows Turla to swap out payloads on the fly, tailored to each target.”

The botnet uses encrypted peer-to-peer communications to relay commands and exfiltrate data, with each infected host acting as both client and relay. This design not only obscures the origin of commands but also provides resilience against takedown efforts.

Background

Turla, also known as Snake or Uroburos, has been active since at least 2007, targeting government, military, and diplomatic entities worldwide. The group is one of Russia’s most sophisticated cyber espionage units, with a history of developing custom malware like Kazuar.

Kazuar was first documented in 2017 as a .NET-based backdoor used for reconnaissance and data theft. This new P2P variant, discovered in recent incident response engagements, represents a major architectural overhaul. It now supports dynamic plugin loading, enabling attackers to deploy additional modules such as keyloggers, screen grabbers, and credential stealers without recompilation.

What This Means

Security teams face a more elusive adversary. The P2P botnet can survive the loss of individual nodes and operate behind NATs and firewalls, complicating network monitoring. Traditional indicators of compromise based on IP addresses or domains become less effective.

“Defenders need to shift from hunting for infrastructure to hunting for behavior — look for anomalous P2P traffic patterns, unexpected outbound connections, and the use of encrypted tunnels within the network,” advised Emily Chen, director of threat intelligence at NetGuard. “Organizations should prioritize endpoint detection and response tools that can identify process injection and fileless execution, which Kazuar now supports.”

The transition from backdoor to botnet also signals a strategic shift: Turla is investing in persistence and redundancy over sheer stealth, suggesting long-term espionage objectives that require sustained access even after initial compromise is discovered.