Russian Hackers Gamaredon and Turla Linked in Coordinated Ukraine Attacks
Kyiv, Ukraine – Cybersecurity researchers have uncovered evidence of collaboration between russian state-sponsored hacking groups Gamaredon and Turla, revealing a coordinated effort to deploy the Kazuar backdoor against targets in Ukraine. The findings, published by ESET, detail a series of attacks throughout early 2025 where Gamaredon gained initial access to systems, subsequently handing off control to Turla for malware deployment.
The attacks leverage a complex chain of custom malware, beginning with Gamaredon’s PteroGraphin tool, which downloads a PowerShell downloader, PteroOdd. PteroOdd then retrieves a payload from Telegraph to execute Kazuar. Victims’ computer names and system drive volume serial numbers are exfiltrated to a Cloudflare Workers subdomain prior to Kazuar’s launch. ESET noted Kazuar v2 and v3 share the same codebase, with v3 comprising approximately 35% more C# lines and introducing new network transport methods via web sockets and Exchange Web Services.
Evidence of the collaboration first surfaced in February 2025, when Kazuar was detected on a system accessed by Gamaredon. A subsequent PteroOdd sample found on a separate Ukrainian machine in March 2025 also contained Kazuar. The malware harvests extensive system information, including installed .NET versions, and transmits it to the domain “eset.ydns[.]eu.” Researchers believe this data gathering is intended for Turla, given Gamaredon’s lack of .NET malware and Kazuar’s .NET foundation.
A second attack wave in mid-April 2025 utilized another PowerShell downloader, PteroEffigy, to deliver Kazuar v2 (“scrss.ps1”) via the “eset.ydns[.]eu” domain.A third attack, observed on June 5 and 6, 2025, involved PteroPaste dropping Kazuar v2 (“ekrn.ps1”) from the domain “91.231.182[.]187.” The use of “ekrn” is suspected to be a intentional attempt to mimic “ekrn.exe,” a legitimate ESET endpoint security binary.
“We now believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla,” stated ESET researchers Matthieu Faou and Zoltán Rusnák. This collaboration highlights a growing trend of coordinated cyber operations between Russian state-sponsored actors, increasing the sophistication and effectiveness of attacks against Ukraine and potentially other targets.
kazuar,initially documented by Palo Alto Networks in late 2023,is a versatile backdoor capable of extensive system compromise and data exfiltration. The observed attacks demonstrate a refined and collaborative approach to targeting Ukrainian infrastructure and organizations.
