In this blogpost, we reveal the first documented instances of collaboration between Gamaredon and Turla in Ukraine.
Key points of this blogpost:
- In February 2025, the Gamaredon tool PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine.
- In April and June 2025, Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste.
- These findings indicate a high likelihood of collaboration between Gamaredon and Turla.
- Turla’s victim count is significantly lower than Gamaredon’s, suggesting a focus on valuable targets.
- Both groups have ties to the FSB, Russia’s main domestic intelligence and security agency.
Threat actor profiles
Gamaredon
Active since at least 2013, Gamaredon has targeted Ukrainian governmental institutions, as reported by CERT-UA and other Ukrainian bodies. The group has been linked to the FSB’s Center 18 of Information Security in Crimea.
Turla
Also known as Snake, Turla is a long-standing cyberespionage group targeting high-profile entities in Europe, Central Asia, and the Middle East. Turla has a history of breaching major organizations, including the US Department of Defense and Swiss defense company RUAG.
Overview
In February 2025, ESET telemetry detected several Gamaredon-Turla co-compromises in Ukraine, with Gamaredon deploying various tools while Turla only deployed Kazuar v3.
Further analysis revealed the use of PteroGraphin by Turla to restart Kazuar, indicating a collaboration between the two groups.
In subsequent months, Kazuar v2 installers were deployed by Gamaredon tools, showing active collaboration between Turla and Gamaredon.
Victimology
Over the past 18 months, Turla has been detected on seven machines in Ukraine, with Gamaredon compromising the initial machines and Turla deploying Kazuar v3.
Notably, Turla’s presence in Ukraine had been minimal before these recent incidents.
These findings suggest that Turla selectively targets specific machines of high importance, while Gamaredon compromises a larger number of machines.
Attribution
Gamaredon
Unique tools such as PteroLNK, PteroStew, and PteroGraphin were detected in Gamaredon compromises.
Turla
Exclusive tools like Kazuar v2 and Kazuar v3 were attributed to Turla.
Gamaredon-Turla collaboration hypotheses
Past collaborations between Gamaredon and InvisiMole suggest a pattern of collaboration with Russia-aligned threat actors. Turla is known to hijack other threat actors’ infrastructure for espionage purposes.
Based on these observations, three hypotheses are proposed to explain the collaboration between Gamaredon and Turla.
Considering Gamaredon’s tendency to be noisy, we doubt they would exercise caution in deploying Kazuar on a limited number of victims. The reason for having two different KERNEL Kazuar v3 payloads on the same machine is unclear. Additionally, an HTTP POST request was made to https://eset.ydns[.]eu/post.php with a list of running processes to confirm the successful launch of Kazuar. Another sample of PteroOdd was detected on a different machine in Ukraine on March 10th, 2025, which interacted with eset.ydns[.]eu but not with any Turla sample. It is suspected that the domain eset.ydns[.]eu is controlled by Turla, as there is no current indication of a .NET tool used by Gamaredon, while Turla is known to utilize such tools, including Kazuar. The use of eset.ydns[.]eu for uploading information suggests a connection to Turla with medium confidence. Additionally, a new downloader named PteroEffigy was identified, which uses api.gofile[.]io.
The latest version of Kazuar, Kazuar v3, is believed to be exclusively used by Turla and was detected on multiple machines in Ukraine. Kazuar v3 has more C# lines than Kazuar v2 and introduces new network transport methods. Kazuar v3 has different roles, such as KERNEL, BRIDGE, or WORKER, with specific functionalities assigned to each role. On the other hand, Kazuar v2 was deployed by Gamaredon on behalf of Turla via PteroOdd and PteroPaste on separate occasions, indicating a collaboration between the two groups. The use of compromised WordPress servers as C&C servers for Kazuar v2 by Turla was also noted.
In conclusion, Turla leveraged Gamaredon’s implants to deploy Kazuar v3 and Kazuar v2 on machines in Ukraine, suggesting a cooperative relationship between the two groups associated with the FSB. For further inquiries about the research, contact threatintel@eset.com. ESET Research provides private APT intelligence reports and data feeds. If you have any questions about this service, feel free to check out the ESET Threat Intelligence page for more information.
IoCs
If you’re looking for a detailed list of indicators of compromise (IoCs) and samples, head over to our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
Network
| IP | Domain | Hosting provider | First seen | Details |
MITRE ATT&CK techniques
Check out the table below, based on version 17 of the MITRE ATT&CK framework:
| Tactic | ID | Name | Description |
For more details and insights, make sure to visit the
ESET Threat Intelligence page.
phrase “I am unable to attend the meeting” in a different way. Please provide the original text you would like me to rewrite.
