Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Secret Blizzard Uses Amadey to Deploy Kazuar

December 12, 2024
Reading Time: 2 mins read
in Alerts
Secret Blizzard Uses Amadey to Deploy Kazuar

The Russian state-sponsored threat actor Secret Blizzard, also known as Turla, has been identified leveraging the Amadey malware-as-a-service (MaaS) platform to infiltrate systems associated with the Ukrainian military. According to Microsoft, this campaign, which occurred between March and April 2024, represents a sophisticated effort to deploy the Kazuar backdoor using existing cybercrime tools. This marks at least the second instance since 2022 where Secret Blizzard has co-opted third-party malware infrastructure to execute its espionage activities in Ukraine.

The attack chain began with the deployment of Amadey bots to install a PowerShell dropper encoded with a command-and-control (C2) URL controlled by Turla. This dropper facilitated reconnaissance on compromised systems, gathering details such as the presence of Microsoft Defender, to identify high-value targets. After reconnaissance, the attackers proceeded to deploy Tavdig, a backdoor used to enable additional data collection and pave the way for Kazuar, an updated version of which was previously documented in 2023. This intricate sequence reflects the group’s emphasis on precision targeting and operational obfuscation.

What sets this campaign apart is Secret Blizzard’s reliance on pre-existing malware services and infrastructures, such as Amadey and the COOKBOX PowerShell backdoor linked to another Russia-based group, Flying Yeti. By hijacking access provided by other threat actors, the group effectively obscures its operations and frustrates attribution efforts. Microsoft noted that this tactic, while not unprecedented, is rarely executed with such complexity. It demonstrates Secret Blizzard’s ability to exploit cybercrime networks for state-sponsored objectives.

This campaign underscores the evolving dynamics of cyber espionage, where nation-state actors increasingly rely on third-party malware ecosystems to achieve their goals. By using tools like Amadey, Secret Blizzard can rapidly scale its operations while maintaining a layer of plausible deniability. The findings highlight the growing intersection of cybercrime and state-sponsored hacking, emphasizing the need for enhanced vigilance and collaboration among cybersecurity stakeholders to defend against these multifaceted threats.

Reference:

  • Secret Blizzard Uses Amadey Malware to Deploy Kazuar Backdoor in Ukraine
Tags: AmadeyAPTCOOKBOXCyber AlertsCyber Alerts 2024Cyber threatsDecember 2024MicrosoftRussiaSecret BlizzardThreat ActorsTurlaUkraine
ADVERTISEMENT

Related Posts

Fake PyPI Login Site Steals Credentials

Fake PyPI Login Site Steals Credentials

September 26, 2025
Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

September 26, 2025
Fake PyPI Login Site Steals Credentials

Hidden WordPress Backdoors Create Admins

September 26, 2025
BadIIS Malware Spreads Via SEO Poisoning

Hackers Target AWS and Steal Credentials

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

SonicWall SMA100 Update Removes Rootkit

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

BadIIS Malware Spreads Via SEO Poisoning

September 24, 2025

Latest Alerts

Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

Hidden WordPress Backdoors Create Admins

Hackers Target AWS and Steal Credentials

SonicWall SMA100 Update Removes Rootkit

BadIIS Malware Spreads Via SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Indian Bank Transfer Records Exposed

    Chinese Cyberspies Hit US Defense Firms

    Neon App Shuts Down After Data Leak

    Boyd Gaming Reports Data Breach After Attack

    Morrisroe UK Company Hit By Cyber Attack

    GeoServer Flaw Breaches US Agency Network

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial