Gamaredon X Turla collaboration

Sept. 29, 2025, 9:22 a.m.

Description

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks the first known instance of cooperation between these groups, with Turla selectively choosing valuable targets from Gamaredon's numerous compromises. The collaboration involves the use of various Gamaredon tools like PteroGraphin, PteroOdd, and PteroPaste to facilitate Turla's operations. The report details multiple attack chains, including the restart of Kazuar v3 and deployment of Kazuar v2, demonstrating a sophisticated level of coordination between the two threat actors.

External References

https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/
https://otx.alienvault.com/pulse/68d7619adf1da670a581d376
Tags
backdoor
apt
russia
ukraine
cyberespionage
fsb
2025-09-19
kazuar
pterographin
pterolnk
pteroeffigy
collaboration
pteroodd
pteropaste
pterostew
2025-09-27

Date

  • Created: Sept. 27, 2025, 4:01 a.m.
  • Published: Sept. 27, 2025, 4:01 a.m.
  • Modified: Sept. 29, 2025, 9:22 a.m.

Attack Patterns

  • PteroEffigy
  • PteroPaste
  • PteroOdd
  • PteroStew
  • PteroGraphin
  • Kazuar - S0265
  • Gamaredon, Turla

Additional Informations

  • Defense
  • Government
  • Ukraine