The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Sunday 17 May 2026

Secret Blizzard's Kazuar Grows Up: Russia's Most Patient Backdoor Is Now a P2P Botnet

Secret Blizzard's Kazuar backdoor has evolved into a modular P2P botnet — and a critical NGINX flaw just got a public exploit while Microsoft quietly buried an Azure vulnerability report without a CVE.

Lead story

Secret Blizzard's Kazuar Grows Up: Russia's Most Patient Backdoor Is Now a P2P Botnet

Russia's Secret Blizzard hacking group — the outfit behind some of the most disciplined long-term espionage campaigns on record — has overhauled its signature Kazuar backdoor into something considerably more dangerous: a modular, peer-to-peer botnet built for stealth, staying power, and sustained data collection.

Kazuar has been around since at least 2017, but this isn't a routine code refresh. The new architecture replaces the traditional command-and-control server model with a P2P mesh, meaning there's no single chokepoint for defenders to cut. Infected nodes relay instructions to each other, making it far harder to disrupt the operation or even detect it through network traffic analysis. Think of it less like a puppet on strings and more like a distributed leaderless cell.

The modular design adds another dimension. Rather than shipping a fat, detectable implant, Secret Blizzard can push targeted capability modules to specific compromised machines — only deploying what's needed for a given target. That keeps the footprint small and forensic analysis difficult. If you only ever deliver the keylogger module to one node, recovering the full toolkit from any single compromise is much harder.

Why this matters beyond the technical details. Secret Blizzard has historically gone after high-value government, defence, and critical infrastructure targets — including in NATO-aligned countries. The evolution to P2P architecture is a direct response to improved defender tooling: traditional C2 infrastructure gets flagged and sinkholed faster than it used to, so the group adapted. That's not surprising, but it's a signal that nation-state actors are actively re-engineering around defensive improvements rather than abandoning compromised techniques.

For defenders, the immediate practical implication is that network-based detection alone is now insufficient against this class of threat. P2P botnets generate lateral traffic that mimics legitimate host-to-host communication. You need endpoint telemetry, behavioural baselines, and ideally some visibility into encrypted traffic patterns to have any hope of catching early-stage compromise.

The Australian angle is real. Australia's Critical Infrastructure sector — energy, water, ports, financial services — is a known target for sophisticated state-linked groups. ACSC has previously warned of Secret Blizzard-linked tradecraft appearing in campaigns affecting Five Eyes partners. The SOCI Act requires operators of critical assets to maintain and test incident response plans; the Kazuar evolution is a timely reminder that "incident response plan" and "detects this class of threat" need to be the same sentence.

What to watch. Security researchers are still unpacking the full module catalogue. We don't yet have a complete picture of what capability sets Secret Blizzard is deploying against which target verticals. Expect further technical disclosures from threat intelligence firms in the coming weeks — and expect this infrastructure to show up in attribution reports tied to active intrusions that haven't been publicly attributed yet.

Also today

Critical NGINX Flaw Gets Public Exploit Code — Patch Now

A proof-of-concept exploit has been published for a critical severity vulnerability in NGINX Plus and NGINX open source — a flaw that's been sitting in the codebase since 2008. The patch landed this week, but PoC code appearing publicly almost immediately after a patch drops is a reliable signal that exploitation attempts will follow within days. NGINX is one of the most widely deployed web servers on the planet, and Australian hosting providers and enterprises running it on-premises or in cloud environments should treat this as a priority update, not a routine maintenance item.

SecurityWeek

Microsoft Buried an Azure Vulnerability Report — and Won't Issue a CVE

A security researcher says Microsoft quietly fixed a critical vulnerability in Azure Backup for AKS after rejecting his report — and without issuing a CVE. Microsoft's official position is that no product changes were made and the behaviour was expected. The researcher documented evidence of a silent fix. This matters beyond the specific bug: CVE issuance is the mechanism by which defenders learn they need to patch. When vendors reject reports and ship silent fixes, the entire coordinated disclosure ecosystem breaks down. Australian organisations relying on Azure Backup for AKS should review their configurations regardless of Microsoft's public position.

Bleeping Computer

WordPress Funnel Builder Plugin Actively Exploited for Payment Card Skimming

Attackers are actively exploiting a critical flaw in the Funnel Builder plugin for WordPress to inject malicious JavaScript into WooCommerce checkout pages and steal payment card details in real time. There's no CVE assigned yet, but Sansec has published technical details. The attack pattern — plugin vuln plus skimmer injection — is one of the most reliable ways criminals target small e-commerce operators, many of whom run WooCommerce. Australian small businesses using this plugin stack should audit their checkout pages immediately and consider a web application firewall as a stopgap while a patch is pending.

The Hacker News

Cybercriminal Twins Undone by an Accidental Teams Recording

Two cybercriminals were caught after forgetting to stop a Microsoft Teams recording during what appears to have been an operational meeting. The Wired roundup also covers the conclusion of the Instructure Canvas ransomware case, the arrest of an alleged darknet market operator, and a supply chain attack that hit OpenAI workers. The Teams recording detail is almost too on-brand: sophisticated threat actors tripped up by the same conferencing gotcha that catches executives in earnings calls. Operational security is apparently hard for everyone.

WIRED Security

arXiv Will Ban Authors for a Year Over AI-Written Papers

The preprint repository arXiv is cracking down on what it calls careless use of large language models in scientific research. Under the new policy, authors who submit papers that are substantially or entirely AI-generated — rather than AI-assisted — face a 12-month ban. arXiv is a cornerstone of how the research community shares work ahead of formal peer review, and LLM-generated content flooding the repository has become a genuine quality signal problem. The move sets a clear line between using AI as a tool and outsourcing authorship entirely — a distinction many institutions are still struggling to define.

TechCrunch AI

Greg Brockman Returns to Take Charge of OpenAI's Product Strategy

OpenAI co-founder Greg Brockman, who took an extended leave last year, is reportedly stepping back into a hands-on role overseeing product strategy. The move comes as OpenAI plans to merge ChatGPT and its Codex programming product into a unified offering. Brockman's return adds a founder-level voice back into product decisions at a moment when the company is navigating rapid expansion, a high-profile trial involving Musk, and increasing scrutiny of its structure and direction. Whether his return signals a course correction or just a leadership reshuffle depends on which product decisions come next.

TechCrunch AI

The AI Gold Rush Is Great If You're Already In — Terrible If You're Not

A TechCrunch analysis makes the uncomfortable observation that the current AI boom is minting billionaires at the top while leaving the majority of the tech industry — and workers — largely behind. The piece points to widening gaps between the handful of companies with access to capital, compute, and talent versus everyone else. The "vibes," as the article puts it, are not great. It's a useful counterweight to the constant drumbeat of funding announcements and valuation milestones: AI is concentrating economic power fast, and the distribution question is getting harder to ignore.

TechCrunch

Anthropic's $1.5B Copyright Settlement Is Getting Complicated

A federal judge has delayed approval of Anthropic's $1.5 billion settlement with authors over training data copyright claims. The sticking point: lawyers are accused of rushing the deal to secure roughly $320 million in fees, while some authors argue the payouts for individual claimants are too low given the scale of the settlement. The case is one of the most significant AI copyright proceedings in progress, and how it resolves will shape how other AI companies think about — and negotiate around — their training data exposure. Australian authors and publishers have their own copyright exposure questions, though no equivalent settlement process is underway locally.

Ars Technica

YouTube Expands AI Deepfake Detection to All Adult Users

YouTube is rolling out its AI-powered likeness detection feature to all users aged 18 and over. The tool works by taking a selfie-style facial scan and then monitoring YouTube's catalogue for potential deepfakes of that person. If a match is found, the user is notified and can request removal. YouTube says removal request volumes have been "very low" relative to the user base so far. The expansion is notable in the Australian context given the Online Safety Act's evolving provisions around non-consensual intimate imagery and synthetic media — YouTube's tooling could become part of how platforms demonstrate compliance.

The Verge

Snap, YouTube, and TikTok Settle School District Lawsuit Over Social Media Harm

Snap, YouTube, and TikTok have settled a lawsuit brought by a Kentucky school district that alleged social media addiction was costing schools money and fuelling a student mental health crisis. Settlement terms haven't been disclosed. It's the first such suit to reach settlement, and it will likely trigger a wave of similar actions from other districts. The case echoes debates playing out in Australia, where the government has legislated a minimum age of 16 for social media access — one of the most aggressive youth-protection stances taken by any jurisdiction globally.

The Verge

AI Defenders Are Playing Catch-Up as AI Attackers Get Faster

A Dark Reading analysis argues that the rise of AI agents capable of autonomously discovering and exploiting obscure vulnerabilities — combined with a surge in AI-generated code that's subtly flawed — is fundamentally changing the economics of attack versus defence. The piece isn't breathless about it: the core point is that the "boring" parts of security (patch management, asset inventory, code review) have become acutely dangerous because AI can now find and weaponise gaps in all of them faster than human teams can close them. It's a useful framing for security leaders trying to make the case for investment in foundational hygiene.

Dark Reading

Sources consulted