{ "id": "57578f2c-070a-4575-addb-8680bf3b5b39", "created_at": "2026-04-06T00:10:40.259057Z", "updated_at": "2026-04-10T03:33:35.618607Z", "deleted_at": null, "sha1_hash": "ae3912c9227757b308ec5fc571a3c347201cb0a7", "title": "Kazuar: Multiplatform Espionage Backdoor with API Access", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3451270, "plain_text": "Kazuar: Multiplatform Espionage Backdoor with API Access\r\nBy Brandon Levene, Robert Falcone, Tyler Halfpop\r\nPublished: 2017-05-03 · Archived: 2026-04-05 21:14:39 UTC\r\nUnit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by\r\nthe name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to\r\ncompromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability\r\nto remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered\r\ninteresting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we\r\ndiscovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API)\r\n to a built-in webserver.\r\nWe suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have\r\nbeen reported to have compromised embassies, defense contractors, educational institutions, and research organizations\r\nacross the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to\r\nat least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a\r\nreplacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were\r\ntypically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar\r\nrole for Turla operations.\r\nThe Kazuar Malware\r\nKazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called\r\nConfuserEx.  We used a combination of tools such as NoFuserEx, ConfuserEx Fixer, ConfuserEx Switch Killer, and de4d0t\r\nin order to deobfuscate the code for in depth analysis.  We then used dnSpy to export the code to a Microsoft Visual Studio\r\nproject, so that we could rename the random method names to better understand the flow of the code. We will describe how\r\nKazuar works and what capabilities it offers threat actors.\r\nInitialization\r\nThe malware initializes by gathering system and malware filename information and creates a mutex to make sure only one\r\ninstance of the Trojan executes on the system at a time. Kazuar generates its mutex by using a process that begins with\r\nobtaining the MD5 hash of a string “[username]=\u003esingleton-instance-mutex”. The Trojan then encrypts this MD5 hash\r\nusing an XOR algorithm and the serial number of the storage volume. Kazuar uses the resulting ciphertext to generate a\r\nGUID that it appends to the string “Global\\\\” to create the mutex.\r\nAn interesting artifact that we found within the mutex creation process is that if the code cannot obtain the system’s storage\r\nserial number, it will use a static integer of 16456730 as a key to encrypt the MD5 hash. The hexadecimal representation of\r\n16456730 is 0xFB1C1A, which appears to be included by the malware author as a potential reference to the United States’\r\nFBI and CIA organizations.\r\nThe Trojan then creates a set of folders on the system to store various files created during its execution. Kazuar creates its\r\nfolders using group names, which logically organize the files contained within the folder. Table 1 shows the folder layout:\r\nFolder\r\nGroup\r\nFiles Description\r\nbase Parent folder that contains the following folder groups below\r\nsys\r\nFiles that Kazuar uses for configuration settings, such as the ‘serv’ item that stores the C2 server\r\nlocations\r\nlog Files contain debug messages\r\nplg Files are plugins used to extend the functionality of Kazuar\r\ntsk Files that Kazuar will process as commands and their arguments\r\nres Files contain the results of the successfully processed tasks\r\nTable 1 Kazuar's folder group names and the files stored within\r\nThe Trojan uses a similar process to create these folder and file names as it uses to generate its mutex, generating an MD5\r\nhash of the name, using XOR on each byte using the volume serial number as a key and generating a GUID based on the\r\nciphertext. The resulting GUIDs are used as file and folder names, which are combined with the local system path to the\r\n%LOCALAPPDATA% folder to create Kazuar’s folders.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 1 of 14\n\nThroughout its code, Kazuar verbosely logs its activities by writing debug messages to log files stored within the “log”\r\nfolder. Kazuar encrypts the debug messages saved in these log files using the Rijndael cipher. We decrypted the initial entry\r\nthat was added to the log files during the execution of the Trojan. This entry reveals the following information:\r\n1 malware_file_name[2720]: Kazuar's entry point started in process malware_file_name [2720] as user USERNAME\r\nThe log message above shows that the malware author refers to the Trojan as “Kazuar”. Interestingly, the word “Kazuar”\r\nappears in several languages, such as Polish, Hungarian and Slovenian, and is the ASCII form of the Russian word “казуар”.\r\nThe word “Kazuar” and казуар translates to Cassowary, which is a large flightless bird native to New Guinea and Australia\r\nas shown in Figure 1.\r\nFigure 1 Cassowary (Source; Wikicommons)\r\nAfter initial setup, the method at the main entry point of the malware, as seen in Figure 2 may follow one of four main paths\r\nof execution. The main entry point contains a relatively simple set of if statements that determine the execution path of the\r\nmalware. Interestingly, one of the paths appears to be for execution on a Mac or Unix host.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 2 of 14\n\nFigure 2. Main entry point shows if statements that control the flow of execution\r\nThe four possible paths of execution taken by Kazuar’s main entry point are as follows:\r\n1. If the malware was executed with the \"install\" command-line argument, which uses .NET Framwork’s InstallHelper\r\nmethod to install the malware as a service.\r\n2. If the malware is started in a non-user interactive environment (no user interface), the malware installs itself as a\r\nservice.\r\n3. If no arguments are provided and the malware determines it is running in a Windows environment, it saves a DLL to\r\nthe system that it injects into the explorer.exe process. The injected DLL executable loads the malware’s executable\r\nand runs it within memory of the explorer.exe process.\r\n4. If the malware was executed with the “single” command-line argument or the malware determines its running in a\r\nMac or Unix environment, it runs the method containing Kazuar’s functional code and will limit certain Windows\r\nspecific functionality if a Mac or Unix environment is detected.\r\nThe flow of execution is carefully guided by its operating environment, which is determined using the .NET Framework\r\nEnvironment.OSVersion.Platform.PlatformID enumeration, as seen in the function in Figure 3 that is responsible for\r\ngathering system specific information. Interestingly, we see a specific boolean variable for a PlatformID value of Unix that\r\nsuggests that Kazuar might be used against Mac or Unix targets that return True for that API.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 3 of 14\n\nFigure 3. The getsysinfo() function provides various environment enumeration capabilities for Kazuar.\r\nAfter enumerating the operating environment, Kazuar will attempt to establish persistent access to the system. Kazuar uses\r\nthe method displayed in Figure 4 within its Autorun class to set up persistence on Windows systems, which has multiple\r\noptions including:\r\n1. Adding a shortcut (lnk file) to the Windows startup folder\r\n2. Adding a sub-key to the following paths in the current user (HKCU) hive:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 4 of 14\n\nFigure 4. Kazuar’s Autorun class is a Windows specific method that contains multiple options for persistence using the\r\nstartup folder and registry.\r\nCommand and Control (C2)\r\nThe Kazuar Trojan initially relies on its command and control channel to allow actors to interact with the compromised\r\nsystem and to exfiltrate data. Kazuar has the capabilities to use multiple protocols, such as HTTP, HTTPS, FTP or FTPS,\r\ndetermined by the prefixes of the hardcoded C2 URLs. So far, we have only observed HTTP used as the C2 protocol in our\r\nsample set. All of the known Kazuar C2 servers appear to be compromised WordPress blogs, suggesting that the threat group\r\nusing Kazuar in attacks also locates and exploits vulnerable WordPress sites as part of their playbook.\r\nTo interact with its C2 server, Kazuar begins its communication by creating an HTTP GET request to use as a beacon. The\r\nbeacon, generated by the code seen in Figure 5 contains a cookie that has an “AuthToken” value that is a base64 encoded\r\nGUID used to uniquely identify the compromised system. Kazuar refers to this GUID as an “agent” identifier.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 5 of 14\n\nFigure 5. The createGET and getWebRequest classes define the construction of the HTTP request used for command and\r\ncontrol communication.\r\nDuring our analysis, we observed the beacon seen in Figure 6 sent via HTTP from a Kazuar sample to its C2 server. The\r\ninitial HTTP beacon shows the base64 encoded AuthToken value within the Cookie field that we believe the C2 server uses\r\nto uniquely identify and track individual compromised hosts.\r\nFigure 6.  Wireshark snippet of a fully constructed HTTP GET request which shows the base64 encoded GUID within the\r\nCookie header.\r\nKazuar will read the response from the C2 server and attempt to parse the response as XML formatted data. The XML\r\nformatted data will contain what Kazuar refers to as a “task”, which is comprised of an action identifier and specific\r\narguments for each action. Figure 7 below shows the code responsible for receiving the response to the HTTP request and\r\nusing a long integer stored in the “num” variable as the action identifier.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 6 of 14\n\nFigure 7.  The response parser listens for new tasks to be received from the command and control server.\r\nThe action identifier is directly related to the command which the actor wishes to run on the compromised system.\r\nSurprisingly, Kazuar also contains methods for each command to equate the action identifier to a string that describes the\r\ncommand, which makes determining the purpose of each command much easier. Table 2 shows a list of available commands\r\nwithin Kazuar, specifically each action identifier, command string and a description.\r\nAction\r\nID\r\nCommands Description\r\n1 log Logs a specified debug message\r\n2 get\r\nUpload files from a specified directory. It appears the actor can specify which files to upload\r\nbased on their modified, accessed and created timestamps as well.\r\n3 put Writes provided data (referred to as ‘payload’) to a specified file on the system.\r\n4 cmd\r\nExecutes a specified command and writes the output to a temporary file. The temporary file\r\nis uploaded to the C2 server\r\n5 sleep Trojan sleeps for a specified time\r\n6 upgrade\r\nUpgrades the Trojan by changing the current executable’s file extension to “.old” and writing\r\na newly provided executable in its place\r\n7 scrshot\r\nTakes a screenshot of the entire visible screen. The screenshot is saved to a specified\r\nfilename or using a filename with the following format: [year]-[month]-[day]-[hour]-\r\n[minute]-[second]-[milisecond].jpg. The file is uploaded to the C2 server\r\n8 camshot\r\nCreates a Window called “WebCapt” to capture an image from an attached webcam, which it\r\ncopies to the clipboard and writes to a specified file or a file following the same format from\r\nthe “scrshot” command. The file is uploaded to the C2 server\r\n9 uuid Sets the unique agent identifier by providing a specific GUID\r\n10 interval\r\nSets the transport intervals, specifically the minimum and maximum time intervals between\r\nC2 communications.\r\n11 server Sets the C2 servers by providing a list of URLs\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 7 of 14\n\n12 transport\r\nSets the transport processes by providing a list of processes that Kazuar will inject its code\r\nand execute within.\r\n13 autorun\r\nSets the autorun type as discussed earlier in this blog. Kazuar will accept the following\r\nstrings for this command: DISABLED, WINLOGON, POLICIES, HKCURUN, RUNONCE,\r\nLOADKEY, STARTUP\r\n14 remote\r\nSets a remote type. We are only aware of one remote type that instructs Kazuar to act as an\r\nHTTP server and allow the threat actor to interact with the compromised system via inbound\r\nHTTP requests.\r\n15 info\r\nGathers system information, specifically information referred to as: Agent information,\r\nSystem information, User information, Local groups and members, Installed software,\r\nSpecial folders, Environment variables, Network adapters, Active network connections,\r\nLogical drives, Running processes and Opened windows\r\n16 copy\r\nCopies a specified file to a specified location. Also allows the C2 to supply a flag to\r\noverwrite the destination file if it already exists.\r\n17 move Moves a specified file to a specified location. Also allows the C2 to supply a flag to delete\r\nthe destination file if it exists.\r\n18 remove\r\nDeletes a specified file. Allows the C2 to supply a flag to securely delete a file by\r\noverwriting the file with random data before deleting the file.\r\n19 finddir\r\nFind a specified directory and list its files, including the created and modified timestamps,\r\nthe size and file path for each of the files within the directory.\r\n20 kill Kills a process by name or by process identifier (PID)\r\n21 tasklisk\r\nList running processes. Uses a WMI query of “select * from Win32_Process” for a Windows\r\nsystem, but can also running “ps -eo comm,pid,ppid,user,start,tty,args” to obtain running\r\nprocesses from a Unix system.\r\n22 suicide\r\nWe believe this command is meant to uninstall the Trojan, but it is not currently implemented\r\nin the known samples.\r\n23 plugin\r\nInstalling plugin by loading a provided Assembly, saving it to a file whose name is the MD5\r\nhash of the Assembly’s name and calling a method called “Start”.\r\n24 plugout Removes a plugin based on the Assembly’s name.\r\n25 pluglist Gets a list of plugins and if they are “working” or “stopped”\r\n26 run\r\nRuns a specified executable with supplied arguments and saves its output to a temporary file.\r\nThe temporary file is up loaded to the C2 server.\r\nTable 2 Kazuar's command handler, including action identifier, command string and description\r\nCapabilities\r\nAs can be seen from the Table 2 above, Kazuar has an extensive command set, many of which are similar in functionality as\r\nother backdoor Trojans. However, a few commands specific to Kazuar appear to be unique and are worth further discussion.\r\nFirst, several of these commands contain checks to determine the environment in order to use appropriate paths or\r\ncommands. The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running\r\nprocesses from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for\r\nWindows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar\r\nintended to use this malware as a cross-platform tool to target both Windows and Unix systems.\r\nKazuar contains three commands related to plugins: plugin, plugout and pluglist. These three commands allow an actor to\r\nadminister a framework that allows Kazuar to use additional plugins. This plugin framework provides Kazuar potentially\r\nendless functionality, as its operators can provide additional .NET applications that Kazuar can load and execute.\r\nKazuar’s Remote API\r\nWhile many backdoor Trojans have extensive command handlers and plugin frameworks, Kazuar’s ‘remote’ command\r\nprovides a functionality that is rarely seen in backdoors used in espionage campaigns. This command instructs the Trojan to\r\nstart a thread to listen for inbound HTTP requests, which effectively turns Kazuar into a webserver. This functionality\r\nprovides an API for the Trojan to run commands on the compromised system. Figure 8 shows the code within Kazuar that\r\nprovides this functionality.\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 8 of 14\n\nFigure 8 HTTP method handler used by Kazuar to provide threat actors with API access\r\nTo initiate this functionality, the actor will issue the 'remote’ command and provide a list of URI prefixes that Kazuar's\r\nHTTP listener will process and respond to. The URI prefix supplied by the actor would be added to the “Prefixes” property\r\nof the HttpListener class, which requires a schema, a host, an optional port and optional path. The actor would then issue\r\nHTTP requests to URLs that match these URI prefixes using specific methods, specifically OPTIONS, POST, GET and PUT\r\nmethods to interact with the compromised system using Kazuar’s command set seen in Table 3.\r\nThis functionality flips the communication flow between the Trojan and the C2 server. Instead of the Trojan initiating\r\ncommunications with its C2 server, the C2 server sends requests directly to the Trojan. This communications flow is\r\nimportant if the compromised system is a remotely accessible server that may raise flags when initiating outbound requests.\r\nAlso, by creating this type of API access, the threat actors could use one accessible server as a single point to dump data to\r\nand exfiltrate data from.\r\nHTTP\r\nMethod\r\nDescription of Functionality\r\nOPTIONS No functionality, just responds with an HTTP “OK” status\r\nPOST\r\nActor provides XML formatted data that Kazuar will use to create a new task. Uses the exact same\r\nmethod (‘readResponse0’ seen in Figure 7) to parse the XML data obtained in the initial C2\r\ncommunications channel discussed earlier. Kazuar writes the results of the task to a log file that it\r\nreferences as “res” within a folder referenced as “tsk”.\r\nGET\r\nProvides the contents of the results of the previous task created via the HTTP POST request that is stored\r\nin the “res” file.\r\nPUT\r\nActor provides XML formatted data that Kazuar will use to create a new task. This method is similar to\r\nthe POST method, however, instead of saving the results of the command to a “res” file it responds to the\r\nHTTP PUT request with the results of the command.\r\nTable 3 HTTP methods and the functionality they provide in Kazuar's API\r\nThis functionality flips the communication flow between the Trojan and the C2 server. Instead of the Trojan initiating\r\ncommunications with its C2 server, the C2 server sends requests directly to the Trojan. This communications flow is\r\nimportant if the compromised system is a remotely accessible server that may raise flags when initiating outbound requests.\r\nAlso, by creating this type of API access, the threat actors could use one accessible server as a single point to dump data to\r\nand exfiltrate data from.\r\nConclusion\r\nWhile yet another fully featured backdoor alone is not particularly novel, the existence of a code path for Unix, combined\r\nwith the portability of .NET Framework code makes the Kazuar Trojan an interesting tool to keep an eye on. Another\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 9 of 14\n\ninteresting portion of this malware is its remote API that allows actors to issue commands to the compromised system via\r\ninbound HTTP requests. Based on our analysis, we believe that threat actors may compile Windows and Unix based\r\npayloads using the same code to deploy Kazuar against both platforms. Palo Alto Networks AutoFocus subscribers can\r\nexplore additional samples using the Kazuar AutoFocus tag.\r\nRelated Indicators and Identifying Information\r\nHashes\r\n8490daab736aa638b500b27c962a8250bbb8615ae1c68ef77494875ac9d2ada2\r\nb51105c56d1bf8f98b7e924aa5caded8322d037745a128781fa0bc23841d1e70\r\nbf6f30673cf771d52d589865675a293dc5c3668a956d0c2fc0d9403424d429b2\r\ncd4c2e85213c96f79ddda564242efec3b970eded8c59f1f6f4d9a420eb8f1858\r\nURLs\r\nhttp://gaismustudija[.]lv/wp-includes/pomo/kontakti.php\r\nhttp://hcdh-tunisie[.]org/wp-includes/SimplePie/gzencode.php\r\nhttp://www.gallen[.]fi/wp-content/gallery/\r\nFile Activity\r\n%LOCALAPPDATA%\\/[a-f0-9]{32}\\/[a-f0-9]{32}\\.dll\r\n%LOCALAPPDATA%\\/[a-f0-9]{32}\\/[a-f0-9]{32}/\r\n%USERPROFILE%\\Start Menu\\Programs\\Startup\\*.lnk\r\nRSA Keys\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003egSI+OxtBrfXVfSRRSlNIMVYr9HFy40jokIDkUqffhU7Y/VcFB1nc8GwT4GOjK6lR/mJi3XcGg+nxqR9iLoeoOLgBFFz9O1l++81tPtRaVZ8\r\n\u003c/Modulus\u003e\u003cExponent\u003eEQ==\u003c/Exponent\u003e\r\n\u003cP\u003ehGjs2pEZW4pN2b0Bm9xl84zxqQ2BMSflj2xpf5MH+XvCY5BBN3YROm24LYtGwy3xOdKeUJOENvYbkvirBcm2ecRxmLgE5AMMeWxZpOayU\r\n\u003c/P\u003e\r\n\u003cQ\u003e+ap/8gRvidWrAhZcAiCAYdFZIt6hSwBz5ohU5ZSPomv9e/Urtts8cin+QeBvDwF6UvyP1vz3wxUOXycaBI3StCMjCXHuBLN+wfpEhfdt6KKywsm\r\n\u003c/Q\u003e\r\n\u003cDP\u003eD5PfoT4/N/InRsrxIWU5K7Y6jFvxFNeEaznuSz55aKUl7ZiAJKR6f1gzyR9xvJv+Qwm4RbcAfu/HAjtfahe7HWJnt50twHjUSoU3uQwU+q964O0w\r\n\u003c/DP\u003e\r\n\u003cDQ\u003evuvLQJn68O6v8omRp0YH0lTLsUDVsdMrdA3mkXGbA7v+E38/i9TT3tTRfaugOKbG9CqMHN+QSeLs31oi9Gxz8yntnc+X5XozwYMlV2Lbk8\r\n\u003c/DQ\u003e\r\n\u003cInverseQ\u003ecfVixwsMog8F8CDikcYKNmUGNJPeJ4grdJi4ZIMX5mSuhdvSccTnx7JoCMJ2LKwFLyMnmZIIeYF4EYBgwHz6rumL8Zam6Zr04uIpxWL\r\n\u003c/InverseQ\u003e\r\n\u003cD\u003ePMTR/bJ5Qs4KHMXL5r3Hnr8jvlOBW+YTFtM+RQO0evftpGUviv0crWAJWok9ujGP/z1bs4NOXDHbImkfJPSLZfw8vknglGZZ3+gzaNxmvuGBL\r\n\u003c/D\u003e\u003c/RSAKeyValue\u003e\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003em4SbvlZhH5UzcgDLIEIygjTCCQMxc/TrwUYZ5JA5SU2jtSBt9aqwljKJ7h4Tv5eP2Efy4Z+2QajDNtOThift4nVTWsl+iOoMKKV6pvQOFj6\r\n\u003c/Modulus\u003e\u003cExponent\u003eEQ==\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\r\nDecrypted Log and Error Messages\r\n'{0}' autorun algorithm is not supported!\r\n'{0}' request method isn't supported.\r\nAccessed date mismatch in get command!\r\nAccessed date mismatch in list command!\r\nAction with identifier {0} is not implemented.\r\nAutorun command requeres autorun type to be set!\r\nAutorun failed due to {0}\r\nCmd command requires actual commands list!\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 10 of 14\n\nCommiting suicide...\r\nControl server address '{0}' is invalid.\r\nCopy command requires destination path!\r\nCopy command requires source path!\r\nCopying file from {0} to {1}...\r\nCreated date mismatch in get command!\r\nCreated date mismatch in list command!\r\nDirectory listing for {0}\r\nExecuting command with {0}...\r\nFailed to create agent due to {0}\r\nFailed to create channel due to {0}\r\nFailed to create injector due to {0}\r\nFatal failure due to {0}\r\nGetting file query {0}...\r\nGetting system information...\r\nGoing to sleep for {0}...\r\nGot '{0}' command from {1}.\r\nGot new '{0}' command.\r\nGot new task #{0} from {1}.\r\nHTTP listening isn't supported.\r\nIPC channel is not ready.\r\nInjected into explorer.\r\nInjected into {0} [{1}].\r\nInjecting into explorer...\r\nInjecting into {0} [{1}]...\r\nInjection failed due to {0}\r\nInstalling plugin...\r\nInvalid FTP server status ({0}).\r\nInvalid last contact time.\r\nInvalid or unknown action format ({0})!\r\nInvalid sender interval.\r\nKazuar's {0} started in process {1} [{2}] as user {3}/{4}.\r\nKilling processes...\r\nList command requires file query string!\r\nListening\r\nListing plugins...\r\nListing processes...\r\nMax interval value is less than min value!\r\nMax interval value is more than supported!\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 11 of 14\n\nMin interval value is less than supported!\r\nModified date mismatch in get command!\r\nModified date mismatch in list command!\r\nMove command requires destination path!\r\nMove command requires source path!\r\nMoving file from {0} to {1}...\r\nMozilla/5.0 (Windows NT {0}.{1}; rv:22.0) Gecko/20130405 Firefox/23.0\r\nMozilla/5.0 (X11; {0} {1}; rv:24.0) Gecko/20100101 Firefox/24.0\r\nNew plugin {0} was installed.\r\nNo servers available now.\r\nPlugin command requires payload!\r\nPlugin installed.\r\nPlugin removed.\r\nPlugin {0} was removed.\r\nPlugin {0} was started.\r\nPlugout command requires plugin name string!\r\nProc kill command requires name or pid to be set!\r\nProcess {0} [{1}] exited with {2} code.\r\nProcess {0} [{1}] impersonated.\r\nPut command requires correct file path!\r\nPut command requires payload!\r\nPutting file to {0}...\r\nRemote control failed due to {0}\r\nRemote failed due to {0}\r\nRemote iteration failed due to {0}\r\nRemote request from {0} failed due to {1}\r\nRemove command requires file path!\r\nRemoving file {0}...\r\nRemoving plugin...\r\nRequest was sent to {0}.\r\nResult #{0} was sent to {1}.\r\nResult #{0} was taken by {1}.\r\nRun command requires executable path!\r\nRun-time error {0}:{1:X8}.\r\nRun-time error {0}:{1}.\r\nScheme '{0}' is not supported!\r\nSearching file query {0}...\r\nSend iteration failed due to {0}\r\nSending request to {0}...\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 12 of 14\n\nSending result #{0} to {1}...\r\nServer command requires at least one server!\r\nSetting agent id to {0}...\r\nSetting autorun type to {0}...\r\nSetting remote type to {0}...\r\nSetting transport interval to [{0} - {1}]...\r\nSetting transport processes:\r\nSetting transport servers:\r\nShellcode error {0:X16}.\r\nSleep interval is longer than supported!\r\nSolving task #{0}...\r\nStartup path is empty.\r\nTaking screen shot...\r\nTaking webcam shot...\r\nTask #{0} execution finished.\r\nTask #{0} execution started:\r\nTask #{0} failed due to {1}\r\nTask #{0} solved.\r\nTransport command requires at least one process name!\r\nTransport process name '{0}' is invalid.\r\nTransport processes\r\nUnable to create capture window.\r\nUnable to delete task #{0} file due to {1}\r\nUnable to execute command due to {0}\r\nUnable to execute task #{0} due to {1}\r\nUnable to get last contact time due to {0}\r\nUnable to get task from {0} due to {1}\r\nUnable to impersonate {0} [{1}] due to {2}\r\nUnable to return logs due to {0}\r\nUnable to send result #{0} to {1} due to {2}\r\nUnable to start plugin {0} due to {1}\r\nUnable to stop plugin {0} due to {1}\r\nUnable to store agent id due to {0}\r\nUnable to store autorun type due to {0}\r\nUnable to store interval due to {0}\r\nUnable to store remote type due to {0}\r\nUnable to store servers due to {0}\r\nUnable to store transports due to {0}\r\nUnhandled exception {0}\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 13 of 14\n\nUpgrade command requires payload!\r\nUpgrading agent...\r\nUsing default agent id due to {0}\r\nUsing default autorun type due to {0}\r\nUsing default interval due to {0}\r\nUsing default remote type due to {0}\r\nUsing default servers due to {0}\r\nUsing default transports due to {0}\r\nUuid command requires identifier!\r\nWaiting for shellcode failed.\r\nWaiting for window '{0}' failed.\r\nexplorer.exe, {0}\r\nERROR: {0}\r\nPlugin {0}\r\n{0} doesn't exist!\r\n{0} was skipped.\r\nproc - {0} [{1}]\r\ntime - {0}\r\nuser - {0}/{1} ({2})\r\nRegister for Ignite ’17 Security Conference\r\nVancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from\r\ninnovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach\r\nprevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee\r\nsessions.\r\nSource: https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nhttps://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ], "report_names": [ "unit42-kazuar-multiplatform-espionage-backdoor-api-access" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434240, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae3912c9227757b308ec5fc571a3c347201cb0a7.pdf", "text": "https://archive.orkl.eu/ae3912c9227757b308ec5fc571a3c347201cb0a7.txt", "img": "https://archive.orkl.eu/ae3912c9227757b308ec5fc571a3c347201cb0a7.jpg" } }