Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service
The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically selected" systems associated with the Ukrainian military between March and April 2024.
The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine.
"Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," the company said in a report shared with The Hacker News.
Some of the other known methods employed by the hacking crew include adversary-in-the-middle (AitM) campaigns, strategic web compromises (aka watering hole attacks), and spear-phishing.
Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world.
The latest report comes a week after the tech giant, along with Lumen Technologies Black Lotus Labs, revealed Turla's hijacking of 33 command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to carry out its own operations.
The attacks targeting Ukrainian entities entail commandeering Amadey bots to deploy a backdoor known as Tavdig, which is then used to install an updated version of Kazuar, which was documented by Palo Alto Networks Unit 42 in November 2023.
The cybercriminal activity tied to Amadey, which often includes the execution of the XMRig cryptocurrency miner, is being tracked by Microsoft under the moniker Storm-1919.
It's believed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels stealthily to download a PowerShell dropper on target devices. The dropper comprises a Base64-encoded Amadey payload that's appended by a code segment, which calls back to a Turla C2 server.
"The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot," Microsoft said.
The next phase involves downloading a bespoke reconnaissance tool with an aim to collect details about the victim device and likely check if Microsoft Defender was enabled, ultimately enabling the threat actor to zero in on systems that are of further interest.
At this stage, the attack proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a legitimate Symantec binary that's susceptible to DLL side-loading. Tavdig, for its part, is used to conduct additional reconnaissance and launch KazuarV2.
Microsoft said it also detected the threat actor repurposing COOKBOX, a PowerShell backdoor tied to a different Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149), to deploy a PowerShell dropper that embeds Tavdig.
Investigation into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools is presently ongoing, the tech giant noted.
Needless to say, the findings once again highlight the threat actor's repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.
"It is not uncommon for actors to use the same tactics or tools, although we rarely see evidence of them compromising and using other actors' infrastructure," Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, told The Hacker News.
"Most state-sponsored threat actors have operational objectives that rely on dedicated or carefully compromised infrastructure to retain the integrity of their operation. This is potentially an effective obfuscation technique to frustrate threat intelligence analysts and make attribution to the correct threat actor more difficult."
Lynx ransomware behind Electrica energy supplier cyberattack
Microsoft lifts Windows 11 24H2 block on PCs with USB scanners
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
Free online web security scanner
