The Russia-linked state-sponsored hacker group Turla has updated its second-stage backdoor referred to as Kazuar, according to the new findings from Palo Alto Networks’ Unit 42.

Kazuar is an advanced and stealthy .NET backdoor that Turla (aka Pensive Ursa, Uroburos) usually uses as a second-stage payload. In July 2023, Ukraine’s Computer Emergency Response Team revealed that the updated version of Kazuar was used in attacks targeting the defense industry in Ukraine and Eastern Europe.

”As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts. They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices," Palo Alto researchers said, adding that they had not seen new Kazuar samples in the wild since 2020, although reports suggested it had been under active development.

The most recent Kazuar variant comes with significant improvements to its code structure and functionality such as extensive data collection, the ability to steal credentials from the cloud and other sensitive apps, an extended set of commands (a total of 45 supported commands), enhanced task automation, implementation of different encryption algorithms and schemes, and multiple injection modes, allowing the malware to run from different processes and execute different features. Notably, this version only targets the Windows operating system.

Kazuar leverages multiple anti-analysis techniques based on a series of elaborate checks (honeypot, analysis tools and sandbox), to ensure it is not being analyzed. It is programmed to either continue if all goes well or to cease all C2 communication if it is being debugged or analyzed, the researchers said.

A more detailed technical analysis of the threat along with IoCs is available in Palo Alto’s report