Operation Kazuar Trojan Masks As Sysinternals

The Turla group has changed its Kazuar backdoor and used a newer .Net obfuscator to make the analysis more difficult. The actor is using the famous Sysinternals brand to mask the files as being theirs, however, a quick analysis proves to the contrary. McAfee's telemetry shows activity from July 2019 to mid-2020 for some of the samples, however the reporting rate is low, aka a very specific and targeted use of the trojan.