• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

 | 

Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Embargo Ransomware nets $34.2M in crypto since April 2024

 | 

Germany limits police spyware use to serious crimes

 | 

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

 | 

French firm Bouygues Telecom suffered a data breach impacting 6.4M customers

 | 

Columbia University data breach impacted 868,969 people

 | 

SonicWall dismisses zero-day fears after Ransomware probe

 | 

Air France and KLM disclosed data breaches following the hack of a third-party platform

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Intelligence
  • Malware
  • Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

Pierluigi Paganini December 12, 2024

Russia-linked APT group Secret Blizzard is using Amadey Malware-as-a-Service to infect systems in Ukraine with the Kazuar backdoor.

The Russia-linked APT group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) was spotted using the Amadey malware to deploy the KazuarV2 backdoor on devices in Ukraine.

Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.

— Microsoft Threat Intelligence (@MsftSecIntel) December 11, 2024

The experts observed threat actors using the Amadey bot malware between March and April 2024. Microsoft highlights that the bot is linked to cybercrime activities and was used by attackers to infiltrate devices used by the Ukrainian military.

Storm-1919 often deploys XMRIG cryptocurrency miners via Amadey bots, used globally in 2024. According to Microsoft, Secret Blizzard group either leveraged Amadey as a service or accessed its C2 panels to deliver a PowerShell dropper containing encoded Amadey payloads and links to their C2 servers.

This operation marked at least the second instance since 2022 where Secret Blizzard leveraged a cybercrime campaign to gain a foothold in Ukraine for deploying its backdoors. This approach highlights the group’s strategy of blending cybercrime with targeted cyber-espionage activities.

“Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.” reads the analysis published by Microsoft. “Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM).”

Secret Blizzard usually employs spear phishing to gain initial access, followed by server-side and edge device compromises for lateral movement.

Amadey bots encoded system data to communicate with the C2 at http://vitantgroup[.]com/xmlrpc.php, attempting to download two plugins, cred64.dll and clip64.dll, likely for credential and clipboard data theft. Secret Blizzard’s use of a separate C2 URL suggests it lacked full control over the Amadey bot’s primary C2 mechanism.

Secret Blizzard selectively deployed a custom survey tool to the targeted devices, including Ukrainian front-line military systems using STARLINK IPs. The tool collected detailed system data, encrypted it with RC4, and sent it to C2 servers. The malware deployed the Tavdig backdoor and a legitimate Symantec binary to devices of interest for DLL-sideloading, enabling further reconnaissance. Tools like procmap.exe compiled malicious files for additional payloads, including the KazuarV2 backdoor.

Microsoft said it also detected the threat actor repurposing a PowerShell backdoor linked to a distinct Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell dropper that embeds Tavdig.

Microsoft is still investigating into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools.

Needless to say, the findings once again highlight the threat actor’s repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.

Microsoft published Indicators of compromise (IoCs) for this campaign.

Last week, researchers from Microsoft Threat Intelligence announced they had collected evidence that the Russia-linked ATP group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.

The experts reported that the Secret Blizzard threat actor is compromising the infrastructure of the Pakistan-based threat actor Storm-0156 to conduct cyber espionage campaigns on targets in South Asia.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)


facebook linkedin twitter

Amadey Bot APT Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Russia Secret Blizzard Security Affairs Security News Ukraine

you might also like

Pierluigi Paganini August 14, 2025
U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini August 13, 2025
Critical FortiSIEM flaw under active exploitation, Fortinet warns
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

    Hacking / August 14, 2025

    Critical FortiSIEM flaw under active exploitation, Fortinet warns

    Hacking / August 13, 2025

    Charon Ransomware targets Middle East with APT attack methods

    Malware / August 13, 2025

    Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

    Data Breach / August 13, 2025

    SAP fixed 26 flaws in August 2025 Update, including 4 Critical

    Uncategorized / August 13, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT