The Invisible Agent: Turla’s Evolved Kazuar Loader Hijacks COM to Blind Windows

Security practitioners have identified an evolved iteration of the Kazuar loader, a tool wielded by the prolific Turla threat collective. This modular implant facilitates the circumvention of Windows security mechanisms without altering system files, employing sophisticated control-flow manipulation and extensive utilization of the Component Object Model (COM) framework. These stratagems collectively ensure clandestine persistence and significantly impede forensic analysis.

The infection sequence commences with a deceptively innocuous VBScript file. This script orchestrates the creation of nested directories within the local user data repository and subsequently retrieves five distinct components from a remote command-and-control server. Among these is a legitimate Hewlett-Packard printer driver installer, which is later subverted to facilitate a DLL sideloading maneuver for the execution of a malicious library.

Furthermore, the script establishes persistence via the system registry and harvests comprehensive telemetry—including active processes, hardware architecture, and user credentials—before exfiltrating this intelligence to a known malicious IP address previously documented by ESET.

The core malicious logic is sequestered within a library christened hpbprndiLOC.dll, which is invoked through a DLL sideloading technique in tandem with the authentic driver installer. This component is heavily fortified with obfuscated code, spurious API calls, and redundant logical structures. It leverages various Windows functions to neutralize Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI) using hardware breakpoints, thereby bypassing defensive shields without necessitating in-memory code modifications. Simultaneously, the library employs a control-redirection artifice, wherein segments of the code are executed twice, with the secondary phase initiating from the midpoint of a single function.

The loader further propagates the assault by anchoring itself within the Windows COM infrastructure. It manually replicates configurations of the ADODB.Stream system component from the global registry into the user-specific hive to facilitate covert file operations. To generate the necessary directories, it utilizes Shell Automation mechanisms, camouflaging its activities as standard Windows Explorer behavior.

The subsequent phase involves the decryption and deployment of a .NET library, which serves as the conduit for the final Kazuar modules. This library is registered as a COM object and interfaces with the operating system through a standard COM Callable Wrapper (CCW). The three primary Kazuar components—KERNEL, WORKER, and BRIDGE—are transmitted in an encrypted state and loaded into isolated dllhost.exe processes to further evade detection.

• KERNEL: Executes the primary malicious agenda, including task management, keylogging, and configuration handling.

• WORKER: Scrutinizes the environment for security software, specifically targeting solutions from Kaspersky, Symantec, and Microsoft.

• BRIDGE: Establishes communication with remote servers via legitimate but compromised WordPress sites disguised as plugin directories.

All three modules utilize the AGN-RR-01 agent identifier, consistent with operations attributed to the joint activity of the Turla and Gamaredon groups. This refined Kazuar loader epitomizes advanced technical craftsmanship, eschewing direct system alterations in favor of deep integration within Windows’ internal mechanisms. Its multi-stage architecture and non-invasive defensive bypasses permit it to endure within a compromised environment for extended periods without detection.