The sub-techniques beta is now live! Read the release blog post for more info.


Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [1]

ID: S0265
Platforms: Windows, macOS
Version: 1.1
Created: 17 October 2018
Last Modified: 24 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Kazuar gathers information on local groups and members on the victim’s machine.[1]

Enterprise T1010 Application Window Discovery

Kazuar gathers information about opened windows.[1]

Enterprise T1059 Command-Line Interface

Kazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine.[1]

Enterprise T1485 Data Destruction

Kazuar can overwrite files with random data before deleting them.[1]

Enterprise T1132 Data Encoding

Kazuar encodes communications to the C2 server in Base64.[1]

Enterprise T1005 Data from Local System

Kazuar uploads files from a specified directory to the C2 server.[1]

Enterprise T1074 Data Staged

Kazuar stages command output and collected data in files before exfiltration.[1]

Enterprise T1008 Fallback Channels

Kazuar can accept multiple URLs for C2 servers.[1]

Enterprise T1083 File and Directory Discovery

Kazuar finds a specified directory, lists the files and metadata about those files.[1]

Enterprise T1107 File Deletion

Kazuar can delete files.[1]

Enterprise T1050 New Service

Kazuar can install itself as a new service.[1]

Enterprise T1027 Obfuscated Files or Information

Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[1]

Enterprise T1069 Permission Groups Discovery

Kazuar gathers information about local groups and members.[1]

Enterprise T1057 Process Discovery

Kazuar obtains a list of running processes through WMI querying and the ps command.[1]

Enterprise T1055 Process Injection

If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Kazuar adds a sub-key under several Registry run keys.[1]

Enterprise T1105 Remote File Copy

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[1]

Enterprise T1029 Scheduled Transfer

Kazuar can sleep for a specific time and be set to communicate at specific intervals.[1]

Enterprise T1113 Screen Capture

Kazuar captures screenshots of the victim’s screen.[1]

Enterprise T1023 Shortcut Modification

Kazuar adds a .lnk file to the Windows startup folder.[1]

Enterprise T1071 Standard Application Layer Protocol

Kazuar uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[1]

Enterprise T1082 System Information Discovery

Kazuar gathers information on the system and local drives.[1]

Enterprise T1016 System Network Configuration Discovery

Kazuar gathers information about network adapters.[1]

Enterprise T1033 System Owner/User Discovery

Kazuar gathers information on users.[1]

Enterprise T1125 Video Capture

Kazuar captures images from the webcam.[1]

Enterprise T1102 Web Service

Kazuar has used compromised WordPress blogs as C2 servers.[1]

Enterprise T1047 Windows Management Instrumentation

Kazuar obtains a list of running processes through WMI querying.[1]

Groups That Use This Software

ID Name References
G0010 Turla [1]