Russia's FSB Just Turned Its 21 Year Old Spy Tool Into a Peer to Peer Botnet—And Email Harvesting Is One of 150 Built In Modules

What Microsoft Actually Disclosed

Microsoft's threat intelligence team dropped a 6,000 word report on May 14, 2026 detailing how Secret Blizzard—the Russian state group also known as Turla, Venomous Bear, and Snake—rebuilt the Kazuar backdoor from a single executable into a modular peer to peer botnet. The new Kazuar has three module types, 150 configuration options, and a deliberate design choice that makes it almost invisible to enterprise security tools: only one infected machine talks to the outside world.

For journalists, NGOs, and government workers whose threat models include nation state surveillance, this matters in a way that ordinary malware reports do not. Kazuar's code lineage stretches back to 2005. Microsoft attributes Turla to Center 16 of Russia's Federal Security Service (FSB)—the same unit that has historically run the most patient, most targeted intelligence campaigns coming out of Moscow. When that group quietly rewrites its oldest tool to operate in P2P mode, it is not chasing ransomware payouts. It is preparing for years long access to whoever it has already breached.

The Three Module Architecture

The report, titled "Kazuar: Anatomy of a Nation State Botnet," documents an architecture that splits the malware into three roles inside any compromised network:

• Kernel module—the local coordinator on each infected host. Multiple Kernels in the same network elect a leader, and only that leader talks to the Bridge.
• Bridge module—the single external relay. It is the only component that touches command and control infrastructure outside the victim's network.
• Worker module—the part that actually does the spying: keylogging, screen capture, filesystem harvesting, system reconnaissance, and email data collection.

Microsoft writes that "the Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts." Translation: if a security team is watching for ten machines beaconing to suspicious domains, it will not see ten machines. It will see one. The other nine are talking to each other inside the LAN over an encrypted P2P protocol.

The Worker module ships with what Microsoft documents as "150 configuration options"—a settings menu for spies. Operators can toggle keylogging on or off per host, narrow filesystem harvesting to specific file extensions, schedule screen captures, harvest credentials from specific browsers, bypass AMSI and ETW (the two telemetry surfaces Windows offers to endpoint detection vendors), and route stolen documents through the Bridge whenever it has a quiet window.

The Email Collection Module

Buried in Microsoft's IOC list is the capability operators care about most: email data collection. Turla has used this module for two decades to extract messages from compromised diplomatic workstations. The Worker can read Outlook PST and OST files directly off disk, pull attachments, and apply keyword filters before exfiltration so it never has to ship a 12 GB mailbox over a slow link from inside an embassy.

This is the difference between a ransomware crew and an FSB unit. Ransomware operators want everything fast because they need to extort within days. Turla wants the right messages, slowly, over months. The new P2P architecture makes the slow extraction safer—the Bridge can drip exfiltrate during business hours when the victim's normal traffic provides cover.

Who Gets Hit

Microsoft's historical Kazuar telemetry concentrates on three target sets:

1. Government and diplomatic organizations in Europe and Central Asia. Foreign ministries, embassies, defense departments. Turla has been inside this kind of target since at least 2008.
2. Systems in Ukraine previously compromised by Aqua Blizzard. Aqua Blizzard (also called Gamaredon) is a noisier Russian group attributed to the FSB. The new Kazuar pattern: Aqua Blizzard breaks in loudly, Turla quietly takes over the infrastructure for long term collection.
3. NGOs and policy organizations working on Russia, Ukraine, or the broader Russian sphere of influence.

The Committee to Protect Journalists has tracked Turla activity against media organizations in the past, and the International Federation of Journalists' May 2026 report on press freedom flagged Russia as one of the states routinely deploying state grade malware against reporters in exile. If your reporting touches Ukraine, the FSB, or oligarch networks, Kazuar is part of the threat model.

Why P2P Architecture Matters For Detection

Endpoint detection tools learned to flag the same indicators across multiple machines—if ten workstations in a finance department all reach out to the same suspicious .ru domain, that triggers an alert. Microsoft's report makes clear that the new Kazuar specifically defeats this pattern. The Bridge module is the only external attacker controlled connection inside the entire victim network, and operators choose which compromised machine runs it. Rotate the Bridge to a new host weekly and the C2 signature looks like routine business traffic from a new device.

Inside the network, the P2P fabric uses what Microsoft describes as authenticated, encrypted, low frequency communication. Even if a defender captures one Worker module, the static analysis will not reveal the network of other infected hosts unless they extract the Kernel's encrypted peer list and break the key derivation.

What Defenders Should Actually Do

Microsoft's mitigation guidance is more detailed than usual:

• Hunt for anomalous SMB and named pipe traffic between workstations that should not normally talk to each other. The P2P fabric uses Windows native protocols where possible.
• Audit local administrator account creation on diplomatic and policy targets. The Worker module persists by registering as a Windows service that requires elevation.
• Block AMSI bypass patterns in process memory. Microsoft published Defender XDR detection rules for the specific AMSI and ETW patching sequences Kazuar uses.
• Treat any compromise by Aqua Blizzard as a Turla pre staging event. If your incident response finds Gamaredon style artifacts, assume Secret Blizzard already inherited the access.

For high risk individuals, the harder advice is the more important one. Kazuar runs almost exclusively on Windows. Journalists and activists working on Russia related stories should consider whether their primary email and document workflow needs to live on Windows at all. macOS and ChromeOS are not immune to state grade malware, but the Kazuar specific toolchain does not target them. For broader context on the surveillance industry targeting reporters, see our coverage of the IFJ's 2026 surveillance study.

The Pattern Behind the Tool

Russia's FSB has had Kazuar for at least 21 years. The fact that they are still investing in it in 2026—not replacing it, evolving it—says something about the state of the surveillance market that the Human Rights Watch report on EU spyware exports flagged last week: commercial spyware grabs headlines, but state owned tooling has not gone anywhere. It just got harder to see.

If your work makes you a target, build your security on the assumption that what is inside the network is more dangerous than what arrives in your inbox. Kazuar's email harvesting module does not need to send you a phishing message. It just needs one workstation in your organization to be the Bridge.