Cybersecurity researchers have uncovered evidence of two prominent Russian hacking groups, Gamaredon and Turla, collaborating to target Ukrainian entities. This unprecedented joint operation signifies a potentially escalating threat to the nation’s defense sector. The discovery indicates a sophisticated, coordinated effort to compromise sensitive systems and deploy advanced malware.
Gamaredon and Turla Forge Unlikely Alliance in Cyber Espionage
New findings from Slovak cybersecurity firm ESET reveal a significant collaboration between two Russia-linked threat actors: Gamaredon (also known as Aqua Blizzard and Armageddon) and Turla (also known as Secret Blizzard and Venomous Bear). This alliance, observed in early 2025, involves Gamaredon providing initial access to Ukrainian targets, which is then exploited by Turla to deploy its potent Kazuar backdoor. Both groups are widely assessed to be affiliated with the Russian Federal Security Service (FSB) and have a long history of targeting Ukraine, making this convergence particularly concerning.
The operational synergy was first detected in February 2025 when Gamaredon’s PteroGraphin and PteroOdd tools were observed facilitating the execution of Turla’s Kazuar v3 backdoor on a compromised endpoint. ESET’s analysis suggests PteroGraphin likely served as a recovery mechanism, ensuring the Kazuar backdoor remained active even if it crashed or failed to launch automatically. This indicates a deliberate and integrated approach to maintaining persistent access.
Further instances of this collaboration were documented in April and June 2025. In these cases, ESET identified the deployment of Kazuar v2 via two other Gamaredon malware families, PteroOdd and PteroPaste. These repeated deployments underscore the sustained nature of the joint offensive and the groups’ commitment to its success.
A History of State-Sponsored Cyber Operations
Gamaredon has been an active player in the cyber threat landscape since at least 2013, primarily focusing its attacks on Ukrainian governmental institutions. Its operational methods often involve spear-phishing campaigns and the use of malicious LNK files on removable drives for propagation.
Turla, on the other hand, is an infamous cyber espionage group with a history stretching back to at least 2004, possibly even the late 1990s. Known for its sophisticated targeting of governments and diplomatic entities across Europe, Central Asia, and the Middle East, Turla has previously been implicated in breaches of high-profile organizations, including the U.S. Department of Defense in 2008 and the Swiss defense company RUAG in 2014. The group is renowned for its use of custom malware, with Kazuar being a particularly persistent and adaptable implant.
ESET posits that Russia’s full-scale invasion of Ukraine in 2022 likely served as a catalyst for this convergence of operational efforts. The recent attacks appear to have a heightened focus on Ukraine’s defense sector, aligning with the ongoing geopolitical conflict.
Understanding the Attack Chain and Malware
The observed attack chains demonstrate a multi-stage process designed for stealth and effectiveness. In one observed scenario, Gamaredon deployed PteroGraphin, a PowerShell tool utilizing Microsoft Excel add-ins and scheduled tasks for persistence, which communicated via the Telegraph API for command-and-control (C2). PteroGraphin was used to initiate the download of another PowerShell downloader, PteroOdd. This downloader, in turn, retrieved a payload from the Telegraph service to execute the Kazuar backdoor.
Prior to launching Kazuar, the payload was designed to gather crucial system information, including the victim’s computer name and the volume serial number of the system drive. This data would then be exfiltrated to a Cloudflare Workers sub-domain. Researchers believe this initial reconnaissance step is likely intended for Turla, given that Gamaredon’s own toolset does not appear to include .NET malware, while Turla’s Kazuar is .NET-based.
Kazuar itself has undergone significant development. ESET notes that Kazuar v2 and v3 are fundamentally the same malware family, sharing a common codebase. Kazuar v3, which is approximately 35% larger in terms of C# lines of code, introduces enhanced network transport methods, including web sockets and Exchange Web Services, for more robust communication.
A separate attack observed in mid-April 2025 saw PteroOdd drop another PowerShell downloader, PteroEffigy. This downloader ultimately contacted the “eset.ydns[.]eu” domain to deliver Kazuar v2, a variant previously documented by Palo Alto Networks.
A third attack chain, identified on June 5 and 6, 2025, involved Gamaredon’s PteroPaste PowerShell downloader. This downloader was used to deploy and install Kazuar v2 on two machines in Ukraine. The malware was disguised with the filename “ekrn.ps1,” a potential attempt to mimic legitimate ESET endpoint security product binaries (“ekrn.exe”) and evade detection.
Implications and Future Outlook
The confirmed collaboration between Gamaredon and Turla represents a significant escalation in the cyber warfare targeting Ukraine. This alliance allows them to leverage each other’s strengths, with Gamaredon facilitating initial access and Turla deploying its advanced espionage capabilities. ESET researchers Matthieu Faou and Zoltán Rusnák expressed high confidence in this assessment, stating that Gamaredon is providing initial access to Turla.
Turla-related indicators of compromise were detected on seven machines in Ukraine over the preceding 18 months. Of these, four were breached by Gamaredon in January 2025, leading to the deployment of the latest Kazuar version towards the end of February. The presence of Kazuar on systems as of February 11, 2025, further substantiates Gamaredon’s role in downloading the sophisticated backdoor.
The continuous evolution of Kazuar, with the introduction of new transport methods in v3, suggests that Turla remains highly motivated to maintain its access and operational effectiveness. The deliberate camouflage attempts, such as the “ekrn.ps1” filename, indicate a growing sophistication in their efforts to evade security measures.
Looking ahead, the focus will remain on monitoring the specific targets and objectives of this joint Gamaredon-Turla operation. Given the targeting of the Ukrainian defense sector, further attempts to exfiltrate sensitive intelligence or disrupt critical infrastructure are anticipated. Organizations within Ukraine, particularly those in defense and government, must remain vigilant and ensure their cybersecurity defenses are robust and up-to-date to mitigate the evolving threats posed by these state-sponsored hacking collectives.