Turla, a sophisticated threat actor, has deployed an upgraded version of its Kazuar v3 loader, a malware designed to bypass advanced security defenses by leveraging Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI). Discovered in January 2026, this latest iteration showcases the group’s evolving tactics, techniques, and procedures (TTPs) in sophisticated cyber attacks.
The infection chain begins with a VBScript file, tracked as 8RWRLT.vbs, which contacts a command and control (C2) server located at 185.126.255.132 in Ukraine. This initial stage introduces a legitimate Hewlett-Packard printer driver installer alongside a malicious DLL. These components are then executed together through a technique known as DLL sideloading. Multiple encrypted payloads are subsequently deployed, eventually executing within the Windows COM subsystem, allowing the attackers to maintain persistence while evading detection. This infrastructure mirrors tactics previously documented in analyses of collaborations between threat actor groups like Gamaredon and Turla.
Detection Evasion Through Hardware Breakpoints and System Integration
The most notable advancement in Turla’s Kazuar v3 loader is its implementation of patchless bypasses for ETW and AMSI. Instead of directly modifying files on disk, the malware utilizes hardware breakpoint hooking to intercept critical security function calls. This technique involves registering a vectored exception handler that monitors NtTraceControl for ETW and AmsiScanBuffer for AMSI. By setting hardware breakpoints on these functions, the CPU triggers an exception upon their execution, allowing a custom handler to falsify their results before returning control.
The process begins by capturing the current thread’s CPU state using GetThreadContext. The malware then modifies hardware debug registers DR0, DR1, and DR7 to activate monitoring on the target function addresses. Once these hardware breakpoints are committed using NtContinue, the system monitors any execution at those specific memory addresses. When a security function is called, the handler intercepts the execution. For ETW, the handler bypasses the entire function, effectively disabling the event tracing system. For AMSI, the handler overwrites the AMSIRESULT pointer on the stack with AMSIRESULTCLEAN and sets the return value to indicate a clean scan, successfully bypassing the malware detection layer.
This hardware breakpoint approach offers a significant advantage over traditional code patching methods. It operates immediately upon execution and leaves no discernible traces on disk, making forensic analysis more challenging. Additionally, the malware employs a control flow redirection technique that manipulates the Windows stack to execute code twice. This allows it to conceal its primary malicious routines until after an initial execution appears complete. Coupled with the legitimate printer driver execution and COM object manipulation at the earlier stages, these combined evasion techniques create multiple layers of obfuscation, delaying analysis and frustrating automated detection systems. Security researchers analyzing this malware must now consider these low-level CPU register manipulations when developing detection rules and response strategies.
The analysis performed by security researcher Dominik Reichel highlights the increasing sophistication of threat actors, who are continuously innovating their evasion methods. By embedding execution logic directly within the Windows COM subsystem, Kazuar v3 masquerades as legitimate system interactions, underscoring the need for continuous adaptation in cybersecurity defenses. The ongoing evolution of Turla’s tools suggests a persistent threat and a commitment to maintaining their operational capabilities against evolving security measures.