Cybersecurity researchers have discerned proof of two Russian hacking teams Gamaredon and Turla collaborating collectively to focus on and co-comprise Ukrainian entities.
Slovak cybersecurity firm ESET mentioned it noticed the Gamaredon instruments PteroGraphin and PteroOdd getting used to execute Turla group’s Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla could be very seemingly actively collaborating with Gamaredon to achieve entry to particular machines in Ukraine and ship the Kazuar backdoor.
“PteroGraphin was used to restart the Kazuar v3 backdoor, presumably after it crashed or was not launched routinely,” ESET mentioned in a report shared with The Hacker Information. “Thus, PteroGraphin was most likely used as a restoration technique by Turla.”
In a separate occasion in April and June 2025, ESET mentioned it additionally detected the deployment of Kazuar v2 by means of two different Gamaredon malware households tracked as PteroOdd and PteroPaste.
Each Gamaredon (aka Aqua Blizzard and Armageddon) and Turla (aka Secret Blizzard and Venomous Bear) are assessed to be affiliated with the Russian Federal Safety Service (FSB), and are recognized for his or her assaults concentrating on Ukraine.
“Gamaredon has been lively since no less than 2013. It’s answerable for many assaults, principally in opposition to Ukrainian governmental establishments,” ESET mentioned.
“Turla, often known as Snake, is an notorious cyber espionage group that has been lively since no less than 2004, presumably extending again into the late Nineties. It primarily focuses on high-profile targets, akin to governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s recognized for having breached main organizations such because the US Division of Protection in 2008 and the Swiss protection firm RUAG in 2014.”
The cybersecurity firm mentioned Russia’s full-scale invasion of Ukraine in 2022 seemingly fueled this convergence, with the assaults primarily specializing in the Ukrainian protection sector in current months.
One in all Turla’s staple implants is Kazuar, a continuously up to date malware that has beforehand leveraged Amadey bots to deploy a backdoor known as Tavdig, which then drops the .NET-based software. Early artifacts related to the malware have been noticed within the wild way back to 2016, per Kaspersky.
PteroGraphin, PteroOdd, and PteroPaste, however, are a part of a rising arsenal of instruments developed by Gamaredeon to ship extra payloads. PteroGraphin is a PowerShell software that makes use of Microsoft Excel add-ins and scheduled duties as a persistence mechanism and makes use of the Telegraph API for command-and-control (C2). It was first found in August 2024.
The precise preliminary entry vector utilized by Gamaredon is just not clear, however the group has a historical past of utilizing spear-phishing and malicious LNK information on detachable drives utilizing instruments like PteroLNK for propagation.
In all, Turla-related indicators have been detected on seven machines in Ukraine over the previous 18 months, out of which 4 had been breached by Gamaredon in January 2025. The deployment of the newest model of Kazuar (Kazuar v3) is claimed to have taken place in direction of the top of February.
“Kazuar v2 and v3 are essentially the identical malware household and share the identical codebase,” ESET mentioned. “Kazuar v3 contains round 35% extra C# strains than Kazuar v2 and introduces extra community transport strategies: over net sockets and Trade Internet Companies.”
The assault chain concerned Gamaredon deploying PteroGraphin, which was used to obtain a PowerShell downloader dubbed PteroOdd that, in flip, retrieved a payload from Telegraph to execute Kazuar. The payload can be designed to collect and exfiltrate the sufferer’s pc title and system drive’s quantity serial quantity to a Cloudflare Staff sub-domain, earlier than launching Kazuar.
That mentioned, it is essential to notice right here that there are indicators suggesting Gamaredon downloaded Kazuar, because the backdoor is claimed to have been current on the system since February 11, 2025.
In an indication that this was not an remoted phenomenon, ESET revealed that it recognized one other PteroOdd pattern on a special machine in Ukraine in March 2025, on which Kazuar was additionally current. The malware is able to harvesting a variety of system info, together with a listing of put in .NET variations, and transmitting them to an exterior area (“eset.ydns[.]eu”).
The truth that Gamaredon’s toolset lacks any .NET malware and Turla’s Kazuar is predicated in .NET suggests this information gathering step is probably going meant for Turla, the corporate assessed with medium confidence.
The second set of assaults was detected in mid-April 2025, when PteroOdd was used to drop one other PowerShell downloader codenamed PteroEffigy, which in the end contacted the “eset.ydns[.]eu” area to ship Kazuar v2 (“scrss.ps1”), which was documented by Palo Alto Networks in late 2023.
ESET mentioned it additionally detected a 3rd assault chain on June 5 and 6, 2025, it noticed a PowerShell downloader known as PteroPaste being employed to drop and set up Kazuar v2 (“ekrn.ps1”) from the area “91.231.182[.]187” on two machines situated in Ukraine. The usage of the title “ekrn” is presumably an try by menace actors to masquerade as “ekrn.exe,” a official binary related to ESET endpoint safety merchandise.
“We now consider with excessive confidence that each teams – individually related to the FSB – are cooperating and that Gamaredon is offering preliminary entry to Turla,” ESET researchers Matthieu Faou and Zoltán Rusnák mentioned.
