In a significant development in cyber espionage, two Russian state-sponsored hacking groups, Gamaredon and Turla, have been observed collaborating to infiltrate Ukrainian entities. This partnership marks a notable escalation in coordinated cyber operations targeting Ukraine.
Slovak cybersecurity firm ESET reported that in February 2025, Gamaredon’s tools, PteroGraphin and PteroOdd, were utilized to execute Turla’s Kazuar backdoor on a Ukrainian endpoint. This indicates a probable active collaboration between the two groups to gain access to specific Ukrainian systems and deploy the Kazuar backdoor.
PteroGraphin was employed to restart the Kazuar v3 backdoor, possibly after it crashed or failed to launch automatically. This suggests that PteroGraphin served as a recovery method for Turla.
Further instances in April and June 2025 revealed the deployment of Kazuar v2 through other Gamaredon malware families, PteroOdd and PteroPaste.
Background on Gamaredon and Turla
Both Gamaredon (also known as Aqua Blizzard and Armageddon) and Turla (also referred to as Secret Blizzard and Venomous Bear) are linked to Russia’s Federal Security Service (FSB) and have a history of targeting Ukraine.
Gamaredon has been active since at least 2013, primarily attacking Ukrainian governmental institutions. Turla, also known as Snake, is an infamous cyber espionage group active since at least 2004, possibly extending back into the late 1990s. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. Notably, Turla breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
The full-scale invasion of Ukraine by Russia in 2022 likely intensified this convergence, with recent attacks primarily focusing on the Ukrainian defense sector.
Kazuar Backdoor and Gamaredon’s Toolset
Turla’s Kazuar is a frequently updated backdoor that has previously leveraged Amadey bots to deploy a backdoor called Tavdig, which then drops the .NET-based tool. Early artifacts associated with the malware have been spotted in the wild as far back as 2016.
Gamaredon’s tools, PteroGraphin, PteroOdd, and PteroPaste, are part of a growing arsenal developed to deliver additional payloads. PteroGraphin is a PowerShell tool that uses Microsoft Excel add-ins and scheduled tasks as a persistence mechanism and utilizes the Telegraph API for command-and-control (C2). It was first discovered in August 2024.
The exact initial access vector used by Gamaredon remains unclear, but the group has a history of employing spear-phishing and malicious LNK files on removable drives, using tools like PteroLNK for propagation.
Recent Attacks and Implications
Over the past 18 months, Turla-related indicators have been detected on seven machines in Ukraine, four of which were breached by Gamaredon in January 2025. The deployment of the latest version of Kazuar (Kazuar v3) occurred towards the end of February.
Kazuar v2 and v3 are fundamentally the same malware family and share the same codebase. Kazuar v3 comprises around 35% more C# lines than Kazuar v2 and introduces additional network transport methods: over web sockets and Exchange Web Services.
The attack chain involved Gamaredon deploying PteroGraphin, which downloaded a PowerShell downloader dubbed PteroOdd. PteroOdd then retrieved a payload from Telegraph to execute Kazuar. The payload is also designed to gather and exfiltrate the victim’s computer name and system drive’s volume serial number.
This collaboration between Gamaredon and Turla underscores the evolving nature of cyber threats and the increasing sophistication of state-sponsored cyber operations. It highlights the need for heightened vigilance and robust cybersecurity measures to protect against such coordinated attacks.
