Cybersecurity researchers have discerned proof of two Russian hacking teams Gamaredon and Turla collaborating collectively to focus on and co-comprise Ukrainian entities.
Slovak cybersecurity firm ESET stated it noticed the Gamaredon instruments PteroGraphin and PteroOdd getting used to execute Turla group’s Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla could be very doubtless actively collaborating with Gamaredon to realize entry to particular machines in Ukraine and ship the Kazuar backdoor.
“PteroGraphin was used to restart the Kazuar v3 backdoor, presumably after it crashed or was not launched routinely,” ESET stated in a report shared with The Hacker Information. “Thus, PteroGraphin was most likely used as a restoration technique by Turla.”
In a separate occasion in April and June 2025, ESET stated it additionally detected the deployment of Kazuar v2 via two different Gamaredon malware households tracked as PteroOdd and PteroPaste.
Each Gamaredon (aka Aqua Blizzard and Armageddon) and Turla (aka Secret Blizzard and Venomous Bear) are assessed to be affiliated with the Russian Federal Safety Service (FSB), and are recognized for his or her assaults focusing on Ukraine.
“Gamaredon has been energetic since no less than 2013. It’s liable for many assaults, largely in opposition to Ukrainian governmental establishments,” ESET stated.
“Turla, also called Snake, is an notorious cyber espionage group that has been energetic since no less than 2004, presumably extending again into the late Nineties. It primarily focuses on high-profile targets, akin to governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s recognized for having breached main organizations such because the US Division of Protection in 2008 and the Swiss protection firm RUAG in 2014.”
The cybersecurity firm stated Russia’s full-scale invasion of Ukraine in 2022 doubtless fueled this convergence, with the assaults primarily specializing in the Ukrainian protection sector in latest months.
Certainly one of Turla’s staple implants is Kazuar, a regularly up to date malware that has beforehand leveraged Amadey bots to deploy a backdoor known as Tavdig, which then drops the .NET-based instrument. Early artifacts related to the malware have been noticed within the wild way back to 2016, per Kaspersky.
PteroGraphin, PteroOdd, and PteroPaste, alternatively, are a part of a rising arsenal of instruments developed by Gamaredeon to ship extra payloads. PteroGraphin is a PowerShell instrument that makes use of Microsoft Excel add-ins and scheduled duties as a persistence mechanism and makes use of the Telegraph API for command-and-control (C2). It was first found in August 2024.
The precise preliminary entry vector utilized by Gamaredon isn’t clear, however the group has a historical past of utilizing spear-phishing and malicious LNK recordsdata on detachable drives utilizing instruments like PteroLNK for propagation.
In all, Turla-related indicators have been detected on seven machines in Ukraine over the previous 18 months, out of which 4 have been breached by Gamaredon in January 2025. The deployment of the newest model of Kazuar (Kazuar v3) is alleged to have taken place in the direction of the tip of February.
“Kazuar v2 and v3 are basically the identical malware household and share the identical codebase,” ESET stated. “Kazuar v3 contains round 35% extra C# traces than Kazuar v2 and introduces extra community transport strategies: over net sockets and Alternate Internet Companies.”
The assault chain concerned Gamaredon deploying PteroGraphin, which was used to obtain a PowerShell downloader dubbed PteroOdd that, in flip, retrieved a payload from Telegraph to execute Kazuar. The payload can also be designed to collect and exfiltrate the sufferer’s pc title and system drive’s quantity serial quantity to a Cloudflare Employees sub-domain, earlier than launching Kazuar.
That stated, it is necessary to notice right here that there are indicators suggesting Gamaredon downloaded Kazuar, because the backdoor is alleged to have been current on the system since February 11, 2025.
In an indication that this was not an remoted phenomenon, ESET revealed that it recognized one other PteroOdd pattern on a special machine in Ukraine in March 2025, on which Kazuar was additionally current. The malware is able to harvesting a variety of system info, together with a listing of put in .NET variations, and transmitting them to an exterior area (“eset.ydns[.]eu”).
The truth that Gamaredon’s toolset lacks any .NET malware and Turla’s Kazuar is predicated in .NET suggests this information gathering step is probably going meant for Turla, the corporate assessed with medium confidence.
The second set of assaults was detected in mid-April 2025, when PteroOdd was used to drop one other PowerShell downloader codenamed PteroEffigy, which finally contacted the “eset.ydns[.]eu” area to ship Kazuar v2 (“scrss.ps1”), which was documented by Palo Alto Networks in late 2023.
ESET stated it additionally detected a 3rd assault chain on June 5 and 6, 2025, it noticed a PowerShell downloader known as PteroPaste being employed to drop and set up Kazuar v2 (“ekrn.ps1”) from the area “91.231.182[.]187” on two machines positioned in Ukraine. The usage of the title “ekrn” is presumably an try by menace actors to masquerade as “ekrn.exe,” a authentic binary related to ESET endpoint safety merchandise.
“We now imagine with excessive confidence that each teams – individually related to the FSB – are cooperating and that Gamaredon is offering preliminary entry to Turla,” ESET researchers Matthieu Faou and Zoltán Rusnák stated.
