FSB-linked Turla teams with Gamaredon in Ukraine

ESET Research reveals the first documented collaboration between Russia-aligned APTs Turla and Gamaredon inside Ukraine, confirming cross-team operations to reestablish and deploy the Kazuar backdoor on select, high-value systems.

Key takeaways

• February 2025: Gamaredon’s PteroGraphin was used to restart Turla’s Kazuar v3 on a Ukrainian machine.
• April and June 2025: Gamaredon tools PteroOdd and PteroPaste deployed Kazuar v2 for Turla.
• Turla targeted a tiny subset of Gamaredon-compromised hosts, indicating a focus on high-value intelligence.
• Both groups are tied to Russia’s FSB (Turla to Center 16; Gamaredon to Center 18).

Who are the actors

• Gamaredon: Active since 2013, noisy and fast-moving operations, heavily targeting Ukrainian government entities. Attributed by Ukraine’s SSU to FSB Center 18.
• Turla: Elite espionage operator since at least 2004, focused on governments and diplomacy. Attributed to FSB Center 16 and known for sophisticated implants like Kazuar.

What ESET observed (3 chains)

• Chain 1 (February 2025): On a co-compromised machine, PteroGraphin and PteroOdd executed commands that relaunched Kazuar v3, likely as a recovery step after disruption. Evidence indicated Turla could issue commands over Gamaredon implants.
• Chain 2 (April 2025): PteroOdd fetched a script that installed Kazuar v2 from infrastructure assessed as Turla-controlled, showing direct deployment of Turla’s malware via Gamaredon tooling.
• Chain 3 (June 2025): PteroPaste executed a downloader (masquerading with ESET ekrn naming) that installed Kazuar v2 on two more Ukrainian machines. A VBScript variant surfaced on VirusTotal from Kyrgyzstan, hinting at broader interest beyond Ukraine.

Victimology and attribution

• Turla activity was found on just seven Ukrainian machines in 18 months, contrasting with Gamaredon’s wide net. This supports a handoff model: Gamaredon gains access at scale; Turla cherry-picks priority systems.
• Gamaredon attribution was reinforced by PteroLNK, PteroStew, PteroGraphin, PteroOdd, PteroPaste. Turla attribution was reinforced by exclusive Kazuar v2/v3 usage and C2 tradecraft.

How the operation ran (notable TTPs)

• Initial access: Likely spearphishing and malicious LNKs on removable media (consistent with Gamaredon patterns).
• Staging and delivery: Telegra.ph pages and Cloudflare Workers for tasking and payload retrieval; PowerShell-based downloaders (PteroGraphin, PteroOdd, PteroEffigy, PteroPaste).
• Command and control: HTTPS, encrypted tasking (3DES within PteroGraphin), and compromised WordPress sites for Kazuar C2; dynamic DNS domains such as ydns.eu.
• Execution and persistence: DLL side-loading and masquerading as legitimate software (including ESET ekrn) to blend in.
• Discovery and exfil: System info, process lists, OS details, and .NET versions uploaded to Turla-associated infrastructure.

Collaboration hypotheses

• Very likely: Direct collaboration under the FSB umbrella, with Gamaredon providing access and Turla operating implants on selected machines.
• Unlikely: Turla hijacked Gamaredon’s infrastructure to recover access, though token-based page edits in PteroGraphin make this theoretically possible.
• Unlikely: Gamaredon independently deployed Kazuar; the selective, cautious usage matches Turla’s tradecraft, not Gamaredon’s noisier style.

Geopolitical context

• Turla (Center 16) and Gamaredon (Center 18) align with longstanding Russian SIGINT and counterintelligence roles that historically overlap. The Ukraine war likely intensified operational convergence, particularly against defense and government targets.

Why it matters

• This is a rare, high-confidence look at inter-APT cooperation inside the same national ecosystem, pairing scale (Gamaredon) with precision (Turla). The result: faster access, rapid recovery when implants fail, and sustained espionage on the most sensitive systems.

Source: WeLiveSecurity