Kazuar

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

Across incidents observed between February and June 2025, Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after the group appeared to have lost its foothold.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

A second method drops a lightweight .NET loader configured as a COM object, decrypting and executing the payload entirely in memory with almost no trace left on disk.

A second method drops a lightweight .NET loader configured as a COM object, decrypting and executing the payload entirely in memory with almost no trace left on disk. | The malware uses hidden Windows messaging, named pipes, Mailslots, and Google Protocol Buffers for structured internal routing

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

2020-05-21 ⋅ PICUS Security ⋅ T1055 Process Injection ... Kazuar

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

2020-05-21 ⋅ PICUS Security ⋅ T1055 Process Injection ... Kazuar

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The Kernel module serves as the central coordinator, managing tasks, updating configurations, and running anti-analysis checks including process inspection, canary file detection, and sandbox DLL verification.

decrypting and executing the payload entirely in memory with almost no trace left on disk

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Worker modules handle operational tasks including capturing keystrokes

...steal authentication tokens, cookies, and credentials from a wide variety of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.

...steal authentication tokens, cookies, and credentials from a wide variety of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.

...steal authentication tokens, cookies, and credentials from a wide variety of programs...

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The Kernel module serves as the central coordinator, managing tasks, updating configurations, and running anti-analysis checks including process inspection, canary file detection, and sandbox DLL verification.

...allows the threat actors to launch javascript on the device, steal data from event logs, steal information about systems files...

Worker modules handle operational tasks including capturing keystrokes

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Worker modules handle operational tasks including capturing keystrokes, taking screenshots

Its configuration system now supports roughly 150 options covering transport selection, injection methods, keylogging, screenshot capture, and MAPI email monitoring.

All gathered information is encrypted and staged in a dedicated working directory before exfiltration.

MITRE ATT&CK techniques ... Command and Control ... T1071 Standard Application Layer Protocol ... The C&C URLs correspond to compromised legitimate websites for Turla to proxy commands and exfiltrate data to Turla backend infrastructure.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

MITRE ATT&CK techniques ... Command and Control ... T1090 Proxy ... The October sample likely acts as a transfer agent used to proxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network via an internet-facing shared network location.

MITRE ATT&CK techniques ... Command and Control T1102 ... Web Service ... Turla has relied on traditional C&C implementations, using compromised web servers as C&C, as well as utilizing legitimate web services like Pastebin.

To compromise the organization's network, the attackers used a combination of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors including HyperStack

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

the attackers used a combination of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.