Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine

on

 

Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine

In 2025, cybersecurity researchers documented a rare and notable collaboration between two Russian state‑linked advanced persistent threat (APT) groups — Gamaredon and Turla — that resulted in the deployment of the sophisticated Kazuar backdoor against Ukrainian targets. This cross‑group cooperation is significant not only for the technical intricacies of how the malware was implanted and controlled, but also for what it reveals about Russia’s evolving cyber‑espionage and hybrid warfare strategy in the context of its war against Ukraine. ESET

The findings, published by ESET Research and corroborated by independent threat analysts, show that Gamaredon provided initial access, lateral movement tools, and deployment mechanisms, while Turla supplied its proprietary Kazuar backdoor to implant on carefully selected systems. Analysts believe this represents a deliberate strategic alliance among Federal Security Service (FSB)‑linked groups to target high‑value Ukrainian entities with sophisticated espionage malware. ESET

Background: Who Are Gamaredon and Turla?

Gamaredon — Ukraine’s Persistent Opponent

Gamaredon (also known under aliases such as Armageddon, Callisto, Primitive Bear, and UAC‑0010) is an APT group that has been active since at least 2013, with its primary focus on Ukraine’s government, military, and critical infrastructure sectors. Analysts widely assess that Gamaredon is linked to the Russian Federal Security Service (FSB), particularly Center 18 of the agency based in Crimea, which specializes in counterintelligence and state security operations. ESET

Gamaredon has traditionally relied on broad infection operations, often using spear‑phishing, malicious shortcuts (LNK files), and other social engineering mechanisms to compromise large numbers of systems — sometimes in the hundreds or thousands — across public and private Ukrainian networks. FIRST

Turla — The Veteran Espionage Specialist

In contrast, Turla (tracked by some vendors under names like Snake, Venomous Bear, Secret Blizzard or Waterbug) is one of the longest‑running Russian espionage groups on record, with activity that predates at least 2004. Turla is associated with Center 16 of the FSB, Russia’s main signals intelligence (SIGINT) agency, and is known for precise, high‑value espionage operations against government, diplomatic, and strategic targets in Europe, North America, and the Middle East. eSecurity Planet

Turla’s tooling historically includes custom backdoors, encrypted command‑and‑control channels, and advanced injection techniques, all designed to enable deep reconnaissance, credential theft, and persistent covert access. One of its key malware families is Kazuar, a .NET‑based backdoor that supports sophisticated espionage capabilities. eSecurity Planet

The Collaboration: How Gamaredon and Turla Worked Together

Until recently, Gamaredon and Turla were believed to operate independently, despite both being linked to the Russian FSB. Their divergent targeting styles — Gamaredon’s broad sensor‑style compromises vs. Turla’s precision espionage — meant they rarely appeared in the same campaigns. That picture changed in 2025. ESET

Multi‑Stage Attack Chains in Ukraine

ESET researchers identified at least four systems in Ukraine that were compromised by both groups in tandem between January and June 2025. On these machines:

  1. Gamaredon first gained initial access using its familiar toolset (including PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin).

  2. Turla then deployed Kazuar — including both v2 and v3 variants — leveraging the foothold Gamaredon had achieved.

  3. On one infected system, Turla’s backdoor was even restarted by a Gamaredon implant (PteroGraphin), suggesting procedural coordination or shared operational control. ESET

In February 2025, ESET telemetry logs show Kazuar v3 executed after Gamaredon’s PteroGraphin and PteroOdd modules ran, effectively** tying the two groups’ tools into a single attack chain*. Later, in April and June 2025, Kazuar v2 installers were deployed using Gamaredon’s PteroOdd and PteroPaste, showing that Turla’s backdoor was not a one‑off payload but part of an ongoing collaboration across multiple incidents. ESET

This represents the first known instance of technical linkage between these groups, where Gamaredon’s access mechanisms and Turla’s espionage tools were observed on the same systems with linked execution flows. ESET

Kazuar Backdoor: A Sophisticated Espionage Tool

The Kazuar backdoor has a long history within Turla’s arsenal. First observed in the mid‑2010s, it is a .NET‑based espionage implant used for stealthy data collection, remote command execution, network reconnaissance, and covert communications with its command‑and‑control infrastructure. WTN Global

According to analysis of recent attacks, Kazuar v3 includes:

  • Expanded command modules for system and network reconnaissance

  • Enhanced network transport methods through techniques such as web sockets and Exchange Web Services (EWS)

  • Extensive environmental data harvesting, including OS details and active processes Businesstechweekly.com

The backdoor’s .NET implementation makes detection harder because it blends into normal .NET process activities more easily than native code malware, and its integration with Windows frameworks often enables it to evade simpler signature‑based detection. WTN Global

Operational Objectives and Victimology

While Gamaredon has been highly prolific in terms of total compromises, Turla’s footprint remains selective. ESET researchers noted that in the past 18 months, Turla was detected on only seven systems in Ukraine — even as Gamaredon compromised hundreds if not thousands of machines. This suggests that Turla’s role in these joint operations is targeted and strategic: it deploys Kazuar mainly on high‑value systems likely containing sensitive intelligence or critical organizational access. ESET

Ukraine’s defense sector, government agencies, and associated national infrastructure have been priority targets, consistent with both groups’ historical focus. For Gamaredon, this fits its longstanding campaign against Ukrainian public sector networks. For Turla, the carefully chosen machines align with a pattern of gathering signals intelligence and high‑grade espionage. Businesstechweekly.com

Threat Vectors and Infection Mechanisms

While precise initial access vectors remain partially obscured due to the installation of security software after the compromises were detected, analysts believe spear‑phishing and malicious LNK files remain prominent vectors, especially for Gamaredon. These tactics align with the group’s historical methods of delivering first‑stage implants that later allow secondary payloads — in this case, Turla’s Kazuar — to be deployed. ESET

Gamaredon’s tools likely acted as the initial access facilitator and delivery mechanism for Turla’s backdoor. For example:

  • PteroLNK and PteroStew — used for dropper/launcher roles

  • PteroOdd and PteroPaste — acting as payload fetchers and execution helpers

  • PteroGraphin — employed to restart Kazuar or ensure the persistence of Turla’s implant ESET

This multi‑stage process demonstrates a division of labor where Gamaredon’s broad compromise capabilities set the stage for Turla’s precision espionage activity, with each group contributing specialized tooling to the campaign.

Strategic Implications of the Collaboration

Convergence of FSB‑Linked Operations

While both groups are believed to be linked to Russia’s FSB — albeit different internal centers — their collaboration provides insight into how Russian intelligence services may coordinate cyber operations at scale, bringing together access‑generation specialists and espionage executors to maximize impact. ESET

This is notable because historically Turla and Gamaredon operated in mostly separate spheres:

  • Gamaredon: high volume compromise, broad targeting, large infection campaigns

  • Turla: low volume but highly selective, deeper espionage intrusions

Their collaboration suggests a strategic realignment where state‑level campaigns may increasingly leverage multipronged teams to combine breadth and depth in cyber operations. ESET

Geopolitical Context: The Russia‑Ukraine War

This collaboration coincides with the ongoing Russia‑Ukraine conflict, where both kinetic and cyber warfare fronts have been active since Russia’s full‑scale invasion in 2022. Cyber operations have played a continuous role in this conflict, with Russia‑aligned actors targeting governments, critical infrastructure, defense contractors, and allied organizations with malware, data theft campaigns, and network disruption efforts. FIRST

The combined Gamaredon‑Turla attacks reflect a hybrid approach that blends large‑scale reconnaissance and initial access with selective espionage aimed at extracting valuable intelligence — a hallmark of contemporary state‑linked cyber warfare. ESET

Defensive and Mitigation Considerations

Spear‑Phishing Awareness and Controls

Defenders should reinforce anti‑phishing training, deploy robust email filtering, and disable risky file types like auto‑executing LNK files — which remain common vectors for groups like Gamaredon. ESET

Endpoint Detection and Response (EDR)

Monitoring for anomalous behavior from PowerShell scripts, unusual network implants, or activity indicative of Kazuar execution (e.g., .NET backdoor processes with unusual network connections) can help detect early stages of compromise. WTN Global

Network Segmentation and Least Privilege

By limiting lateral movement and restricting access to sensitive systems, organizations can constrain the effectiveness of multi‑stage campaigns where initial access tools are followed by espionage backdoors.

Threat Intelligence Sharing

Collaboration among defenders and information sharing of indicators of compromise (IOCs), such as URLs, domain names, and malware hashes linked to Ptero and Kazuar families, enhances detection across allied and industry defenses.

Conclusion: A New Chapter in Russian Cyber Operations

The Gamaredon and Turla collaboration in deploying the Kazuar backdoor against Ukrainian targets represents a noteworthy evolution in Russian state‑linked cyber activity — one where multiple advanced threat groups align tooling, access vectors, and strategic intent to achieve precise objectives. ESET

By pairing Gamaredon’s broad compromise capabilities with Turla’s refined espionage implants, these operations highlight how state‑driven cyber campaigns can evolve to become more effective, coordinated, and dangerous — especially in the context of ongoing geopolitical conflicts like the war in Ukraine. ESET

As defenders work to adapt to these hybrid strategies, the lessons from this collaboration will be valuable not only for Ukrainian cyber defenders but also for global organizations seeking to understand how nation‑state actors combine forces to target high‑value systems in contested environments. ESET

Comments

Post a Comment