Cybersecurity researchers have uncovered strong indications that two well-known Russian threat groups, Gamaredon and Turla, are actively working together to target Ukrainian systems.
According to Slovak cybersecurity company ESET, the Gamaredon toolset (notably PteroGraphin and PteroOdd) was leveraged in February 2025 to run Turla’s Kazuar backdoor on a Ukrainian endpoint. This suggests that Turla is not only collaborating with Gamaredon but also depending on them to gain entry into specific systems.
“PteroGraphin was observed restarting the Kazuar v3 backdoor, likely after a crash or failed launch. This points to PteroGraphin being used as a recovery mechanism,” ESET noted in its report shared with The Hacker News.
Multiple Deployment Campaigns
ESET’s research revealed that Kazuar was deployed in three separate attack chains:
- February 2025 – Gamaredon used PteroGraphin and PteroOdd to execute Kazuar v3.
- April 2025 – PteroOdd downloaded another PowerShell script (PteroEffigy) that fetched Kazuar v2 from eset.ydns[.]eu.
- June 2025 – PteroPaste was used to deliver Kazuar v2 (ekrn.ps1) from IP address 91.231.182[.]187.
The naming of ekrn.ps1 is believed to be an attempt to imitate ekrn.exe, a legitimate binary linked to ESET endpoint security.
Gamaredon And Turla: Background
- Gamaredon (also known as Aqua Blizzard or Armageddon) has been active since 2013, mainly attacking Ukrainian government institutions. It frequently relies on spear-phishing and malicious LNK files for initial access.
- Turla (also called Secret Blizzard, Venomous Bear, or Snake) has operated since at least 2004, possibly earlier. Its campaigns have targeted high-profile government and diplomatic entities across Europe, Central Asia, and the Middle East. Turla is notorious for breaching the U.S. Department of Defense (2008) and Swiss defense firm RUAG (2014).
Both groups are widely believed to be tied to Russia’s Federal Security Service (FSB).
The Role Of Kazuar
Kazuar, one of Turla’s flagship implants, is a .NET-based backdoor that has evolved since at least 2016. Its newer variant, Kazuar v3, introduces more than 35% additional C# code compared to v2, along with advanced network transport mechanisms (including WebSockets and Exchange Web Services).
Gamaredon’s arsenal, including PteroGraphin, PteroOdd, and PteroPaste, has been used to deliver Kazuar payloads. PteroGraphin, first identified in August 2024, relies on Microsoft Excel add-ins, scheduled tasks, and the Telegram API for persistence and command-and-control.
Strategic Collaboration
ESET’s findings show that:
- Over the last 18 months, Turla-related indicators appeared on at least seven Ukrainian machines.
- Four of these were already breached by Gamaredon as early as January 2025.
- Kazuar was present on some systems as early as February 11, 2025, raising the likelihood that Gamaredon delivered it directly.
ESET researchers Matthieu Faou and Zoltán Rusnák concluded with high confidence that Gamaredon is providing initial access for Turla operations, making their collaboration an escalating threat to Ukraine’s defense sector.
