Turla Deploys Upgraded Kazuar v3 Loader Using COM, ETW, and AMSI Evasion
Researchers reported an upgraded Turla Kazuar v3 loader that uses advanced Windows-native evasion and execution techniques, including heavy use of Component Object Model (COM), patchless Event Tracing for Windows (ETW) manipulation, and AMSI bypass methods. The observed multi-stage chain begins with a VBScript (8RWRLT.vbs) that retrieves additional components from attacker infrastructure and stages multiple encrypted Kazuar payloads; analysis indicates the loader can embed execution logic into the Windows COM subsystem to blend into legitimate system activity and increase defender analysis time.
Technical reporting tied the activity to infrastructure and tradecraft consistent with prior reporting on Gamaredon–Turla operational overlap. The VBScript was observed downloading from https://185.126.255[.]132 and creating an HP-themed directory structure under %LOCALAPPDATA%\Programs\HP\..., then deploying a legitimate Hewlett-Packard installer alongside a malicious DLL for DLL sideloading, before decrypting and launching Kazuar payloads. The combination of COM-based execution, ETW/AMSI evasion, and staged encrypted payload delivery indicates a continued focus on stealthy post-compromise tooling rather than opportunistic commodity malware delivery.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Additional reporting highlights Kazuar v3 ETW and AMSI evasion
Subsequent reporting described the same Kazuar v3 loader as discovered in January 2026 and emphasized its use of hardware breakpoints, vectored exception handling, and NtContinue to bypass Windows ETW and AMSI without patching memory on disk. The coverage also noted the tradecraft’s consistency with prior reporting on Turla collaboration patterns.
Researcher publishes technical analysis and detection details
On January 14, 2026, security researcher Dominik Reichel published a reverse-engineering analysis of Turla’s Kazuar v3 loader, detailing its COM-based execution, DLL sideloading, and patchless ETW and AMSI bypasses. The report also released technical indicators including hashes, paths, registry keys, C2 URLs, and YARA rules.
Turla deploys updated Kazuar v3 loader campaign
Turla operated a multi-stage Kazuar v3 infection chain that began with a VBScript downloader, fetched components from command-and-control infrastructure, and used DLL sideloading via a legitimate HP installer to launch the malware. The campaign established persistence, performed host reconnaissance, and executed Kazuar modules through COM surrogate processes for stealth.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Turla Deploys STOCKSTAY Backdoor Against Ukrainian and Foreign Policy Targets
Google Threat Intelligence Group reported that the Russia-linked **Turla** espionage group has been using a multi-component `.NET` backdoor called **STOCKSTAY** since at least December 2022 to target Ukrainian government and military organizations, as well as entities involved in Italian foreign policy. The malware supports command execution, file theft, registry changes, screen capture, and host reconnaissance, and uses separate modules for orchestration and WebSocket-based command-and-control tunneling. Researchers said STOCKSTAY shares architectural and code similarities with Turla’s **KAZUAR** toolkit, including the `K1MORPHER` obfuscation mechanism and environmental keying, indicating the tool is part of Turla’s broader intelligence-gathering arsenal. The campaign used multiple delivery methods, including malicious **RDP** files, **HTA** files, **MSI** installers, and exploitation of WinRAR path traversal flaw `CVE-2025-8088`, often paired with academic, diplomatic, or military-themed lures. Google also observed Turla relying on compromised Ukrainian infrastructure, GitHub repositories, and cloud hosting services such as **Render** and **Glitch** to stage payloads and run command-and-control infrastructure. The company assessed that STOCKSTAY remains under active development alongside KAZUAR and is used both for initial access and as a persistence or fallback capability during espionage operations.
Jun 29, 2026
UAC-0184 Expands HTA Loader With Bitdefender and Plane9 Sideload Chains
Researchers reported that **UAC-0184**—also tracked as **UNC5435** and **MB-0007**—is using spearphishing **LNK** files with Ukraine- and Cyrillic-themed lures to launch a multi-stage malware chain against Ukrainian targets. The lures invoke **`bitsadmin`** and **`mshta`** to retrieve HTA payloads from disposable infrastructure hosted on **Cloudflare Pages**, **Netlify**, and novelty TLDs, then fetch **`dctrprraclus.zip`**. The HTA stager hides malicious logic behind decoy HTML padding and embedded VBScript, which starts PowerShell to decrypt an **AES-256-CBC** base64 blob using a co-located 32-byte ASCII key and a null IV, decompress the result with gzip, and reflectively load a .NET assembly; researchers said the actor's per-sample key rotation offers little protection because the key is shipped with the ciphertext. The intrusion set now includes two signed third-party sideloading paths for the same payload family. One chain abuses legitimate **Plane9** components, progressing through **`Cluster-Overlay64.exe`**, **`Plane9Engine.dll`**, **`openvr_api.dll`**, **`kernel-diag.lib`**, and a decoded **`evr.dll`** stage that extracts **`filter.bin`**, whose pseudo-PNG **IDAT** data is XOR-decoded and **LZNT1**-decompressed into a final bundle. A parallel path uses the signed **Bitdefender Endpoint Security** deployer **`bddeploy.exe`** to sideload a malicious **`deploy.dll`** via DLL search order hijacking. The final stages include signed utilities such as Microsoft-signed **`VSLauncher.exe`** and a PassMark-derived **`input.dll`** believed to provide covert networking and possible process-dump capability, while telemetry tied to **trojan.leopard/bitsuh** and multicast or TCP traffic on **port 31339** has emerged as a consistent hunting lead.
Jun 29, 2026
Multi-stage loaders use DLL sideloading and signed binaries to hide final payloads
Researchers detailed two separate malware chains that rely on deeply layered staging, DLL sideloading, and trusted signed software to conceal execution. One campaign, dubbed **Eimeria**, starts from a `RAR5` archive containing the signed `dsclock.exe`, a malicious `zlibwapi.dll`, and an encrypted payload that decrypts into an IExpress package and then an AutoIt-based RunPE loader. The chain restores `ntdll.dll` to evade EDR hooks, decrypts later stages with `AES-128-CBC`, `RC4`, and `LZNT1`, hollows `explorer.exe`, `svchost.exe`, or `taskhostw.exe`, and injects a small .NET RAT that beacons over WebSocket to `94.26.90.139:3006`. It also sets persistence through a Run key and scheduled task and uses delays, sleep checks, and CPU and memory stress tests to frustrate analysis. A second intrusion set tied to **UAC-0184 / MB-0007** used Ukraine-themed lures and messenger delivery to target Ukrainian Defense Forces personnel, beginning with `LNK` files that called `bitsadmin` to fetch `HTA` content from `169.40.135.35` for execution via `mshta`. The downloaded archive abused legitimate Plane9 components for sideloading through `Cluster-Overlay64.exe`, `Plane9Engine.dll`, and `openvr_api.dll`, then decoded `kernel-diag.lib` into `evr.dll` and unpacked `filter.bin` by rebuilding `IDAT` chunks, XOR-decoding with key `0x227E9BDE`, and decompressing with `LZNT1`. The final bundle included signed utilities such as Microsoft-signed `VSLauncher.exe` and a renamed PassMark Endpoint DLL, indicating the actor likely repurposed a signed network stack and dump-capable tooling for covert internal communications, with controller details possibly discovered dynamically over multicast `224.0.0.255:31339` and TCP `31339` rather than a fixed external C2.
Jun 29, 2026