Joint attacks by Gamaredon and Turla using Kazuar Backdoor recorded in Ukraine

ESET researchers have found evidence of cooperation between two Russian hacking groups, Gamaredon and Turla, who have been jointly attacking Ukrainian organizations using the Kazuar backdoor. This is the first documented case of Gamaredon tools being used to launch and support the Turla malware.

•  In February 2025, Gamaredon tools PteroGraphin and PteroOdd were used to launch Kazuar v3 on Ukrainian machines.

•  In April and June 2025, the attackers again used PteroOdd and PteroPaste to spread Kazuar v2.

•  Gamaredon is responsible for initial access (via phishing and infected LNK files on media), while Turla uses its sophisticated espionage arsenal.

•  Kazuar is able to collect system information, send it to external servers and open a backdoor for further control.

•  At least seven machines infected with this attack chain have been detected in Ukraine since February 2025, four of which were hacked by Gamaredon back in January.

Key details of the attack

1. PteroGraphin used Excel add-ins and scheduled tasks for resilience.
2. Kazuar v3 has 35% more C# code than the previous version and supports new communication methods (WebSockets and Exchange Web Services).
3. Known control servers: Cloudflare Workers subdomains and eset.ydns[.]eu.
4. Imitation of legitimate processes (e.g., the name ekrn.ps1 to disguise itself as ESET antivirus).

• Gamaredon (also known as Aqua Blizzard, Armageddon) has been operating since 2013, primarily attacking Ukrainian government institutions.

• Turla (Secret Blizzard, Snake, Venomous Bear) is an FSB group active since at least 2004, known for attacks on government structures in Europe, the US and the Middle East (among the victims – the US Department of Defense in 2008 and the Swiss company RUAG in 2014).

• Since the beginning of Russia’s full-scale invasion of Ukraine in 2022, cooperation between these groups has only intensified.

• Kazuar was first discovered in 2016, is regularly updated and remains one of Turla’s main tools.

The Gamaredon and Turla collaboration demonstrates a new level of threat to Ukraine: the use of simple initial access methods and sophisticated backdoors creates an effective chain of espionage and sabotage. This indicates coordination between FSB structures and increases the challenges for defenders in the field of cyber defense. Ukrainian organizations need in-depth monitoring measures, multi-level network segmentation, and rapid response to suspicious PowerShell activity.