S0265: Kazuar
Analyst context for executives and security teams
Kazuar matters because ATT&CK describes it as a fully featured, multi-platform backdoor Trojan for Windows and macOS, with relationships showing discovery, command execution, collection, staging, command-and-control, and exfiltration-related behaviors. For leaders, the practical issue is not only “malware detection,” but whether the organization can prove it would notice a backdoor mapping users, files, processes, network settings, and local permissions before moving data or receiving further tools.
Executive priority
Treat this as a coverage-validation use case for endpoint, network, and incident response readiness across Windows and macOS. Priority questions: do we collect enough host and network evidence to reconstruct discovery and C2 activity; can the SOC distinguish legitimate administration from suspicious WMI, shell, and discovery behavior; and can IR quickly scope local data staging, tool transfer, and potential exfiltration paths? The ATT&CK relationship to Turla increases threat-intelligence relevance, but local exposure and prioritization should be based on observed telemetry and business-critical assets.
Technical view
Kazuar has no official ATT&CK detection text, so defenders should validate coverage through the related techniques rather than rely on a single signature. On Windows, prioritize visibility into .NET process behavior, WMI execution, command shell activity, DLL injection indicators, file deletion, local account/group discovery, process discovery, and file/directory enumeration. On macOS, validate Unix shell execution, user/system/network discovery, file discovery, local data collection, staging, and outbound C2-like traffic. Network teams should review visibility for web protocols, file transfer protocols, fallback channels, internal proxy behavior, bidirectional web-service communication, and ingress tool transfer. IR playbooks should connect host discovery events to possible local data staging and scheduled transfer/exfiltration patterns.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows and macOS
- Windows WMI activity and administrative execution logs
- DLL/module load, process injection, and suspicious process access telemetry where available
- File creation, modification, staging, and deletion events
- Local account, group, user, process, system, network configuration, file, and directory discovery evidence
Detection direction
- Map detections to the related ATT&CK techniques instead of treating Kazuar as a single malware signature, especially because official detection guidance is not provided.
- Tune for sequences: discovery of users/processes/files/network settings followed by staging, outbound web or file-transfer traffic, tool transfer, or cleanup through file deletion.
- Separate legitimate administration from suspicious use of WMI, Windows command shell, Unix shell, and local account/group discovery by baselining admin hosts, service accounts, timing, and target systems.
- Validate Windows and macOS parity; the object is multi-platform, and endpoint visibility gaps on either platform can create blind spots.
- Correlate host telemetry with network telemetry for web protocols, file transfer protocols, fallback channels, internal proxy behavior, and bidirectional web-service communication.
Mitigation priorities
- Confirm endpoint protection, logging, and response capability on both Windows and macOS assets, especially high-value systems handling sensitive data.
- Reduce abuse of administrative execution paths by controlling and monitoring WMI, command shells, privileged accounts, and local group membership.
- Strengthen egress governance by monitoring and restricting unnecessary web, file-transfer, proxy, and external web-service communication paths.
- Improve data-loss and incident-response readiness by monitoring local data staging locations, unusual scheduled transfers, and outbound transfer patterns.
- Harden investigative retention: preserve endpoint, proxy, DNS, and firewall logs long enough to reconstruct discovery-to-exfiltration timelines.
Analyst notes and limits
ATT&CK records Kazuar as software S0265 and describes it as a fully featured backdoor Trojan written with the Microsoft .NET framework. The relationship set links it to Turla and to techniques spanning execution, discovery, collection, command-and-control, exfiltration, stealth, and privilege-escalation-related behavior. The most useful defensive value is validating whether telemetry can connect these behaviors into an intrusion narrative rather than relying on a named-malware alert.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Technique descriptions are relationship context and include platforms broader than Kazuar’s listed Windows and macOS platforms, so defensive planning should not infer Kazuar platform support beyond Windows and macOS from those technique platform lists. Local environment baselines, asset criticality, and observed indicators are required for prioritization and incident conclusions.
Kazuar
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Kazuar adds a sub-key under several Registry run keys.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1485 | Data Destruction | Kazuar can overwrite files with random data before deleting them.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Kazuar can delete files.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Kazuar encodes communications to the C2 server in Base64.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1057 | Process Discovery | Kazuar obtains a list of running processes through WMI querying and the |
| Enterprise | T1083 | File and Directory Discovery | Kazuar finds a specified directory, lists the files and metadata about those files.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Kazuar gathers information on users.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Kazuar has used internal nodes on the compromised network for C2 communications.CitationAccenture HyperStack October 2020 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Kazuar gathers information about local groups and members.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1125 | Video Capture | Kazuar captures images from the webcam.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Kazuar uses /bin/bash to execute commands on the victim’s machine.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Kazuar uses FTP and FTPS to communicate with the C2 server.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Kazuar can install itself as a new service.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1082 | System Information Discovery | Kazuar gathers information on the system.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Kazuar has used compromised WordPress blogs as C2 servers.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1008 | Fallback Channels | Kazuar can accept multiple URLs for C2 servers.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1010 | Application Window Discovery | Kazuar gathers information about opened windows.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1113 | Screen Capture | Kazuar captures screenshots of the victim’s screen.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1029 | Scheduled Transfer | Kazuar can sleep for a specific time and be set to communicate at specific intervals.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1680 | Local Storage Discovery | Kazuar gathers information on local drives.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1087.001 | Local Account Sub-technique | Kazuar gathers information on local groups and members on the victim’s machine.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Kazuar stages command output and collected data in files before exfiltration.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1005 | Data from Local System | Kazuar uploads files from a specified directory to the C2 server.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Kazuar gathers information about network adapters.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1047 | Windows Management Instrumentation | Kazuar obtains a list of running processes through WMI querying.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Kazuar adds a .lnk file to the Windows startup folder.CitationUnit 42 Kazuar May 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Kazuar uses cmd.exe to execute commands on the victim’s machine.CitationUnit 42 Kazuar May 2017 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | bbff460f30d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Kazuar May 2017
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
Open source URL -
[2]
Kazuar
(Citation: Unit 42 Kazuar May 2017)
-
[3]
mitre-attack S0265Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.