Kazuar

GTIG observed STOCKSTAY being deployed following successful phishing attempts using malicious RDP configuration files... In one operation in early 2025, GTIG identified a phishing email... containing a malicious RDP file attachment.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

Across incidents observed between February and June 2025, Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after the group appeared to have lost its foothold.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

A second method drops a lightweight .NET loader configured as a COM object, decrypting and executing the payload entirely in memory with almost no trace left on disk. | The malware uses hidden Windows messaging, named pipes, Mailslots, and Google Protocol Buffers for structured internal routing

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

2020-05-21 ⋅ PICUS Security ⋅ T1055 Process Injection ... Kazuar

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

Originally disguised as a stock market application, the malware has more recently masqueraded as legitimate software such as PDF readers and calculator programs.

2020-05-21 ⋅ PICUS Security ⋅ T1055 Process Injection ... Kazuar

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

...steal authentication tokens, cookies, and credentials from a wide variety of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.

...steal authentication tokens, cookies, and credentials from a wide variety of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.

...steal authentication tokens, cookies, and credentials from a wide variety of programs...

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

GTIG conducted a review... in which we observed Turla deploying a wide range of tools into the victim’s network... via malicious GPO installation from a compromised domain controller... Multiple ZIP archives, each containing one of the core components of STOCKSTAY or its configuration, were uploaded to the domain controller.

...allows the threat actors to launch javascript on the device, steal data from event logs, steal information about systems files...

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

MITRE ATT&CK techniques ... Command and Control ... T1071 Standard Application Layer Protocol ... The C&C URLs correspond to compromised legitimate websites for Turla to proxy commands and exfiltrate data to Turla backend infrastructure.

Central to its operations is the STOCKSTAY.STOCKMARKET component, which serves as the primary orchestrator, managing command-and-control logic over secure WebSocket connections using the open-source websocket-sharp library.

MITRE ATT&CK techniques ... Command and Control ... T1090 Proxy ... The October sample likely acts as a transfer agent used to proxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network via an internet-facing shared network location.

MITRE ATT&CK techniques ... Command and Control T1102 ... Web Service ... Turla has relied on traditional C&C implementations, using compromised web servers as C&C, as well as utilizing legitimate web services like Pastebin.

Most of its new tools are simple downloaders... Gamaredon used its library of loaders to provide initial access for Turla's heftier exploitation framework, Kazuar.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

the attackers used a combination of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.