Gamaredon X Turla collaboration

SUMMARY :

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks the first known instance of cooperation between these groups, with Turla selectively choosing valuable targets from Gamaredon's numerous compromises. The collaboration involves the use of various Gamaredon tools like PteroGraphin, PteroOdd, and PteroPaste to facilitate Turla's operations. The report details multiple attack chains, including the restart of Kazuar v3 and deployment of Kazuar v2, demonstrating a sophisticated level of coordination between the two threat actors.

OPENCTI LABELS :

apt,backdoor,ukraine,cyberespionage,fsb,pterographin,pteroodd,pteroeffigy,pterostew,pteropaste,collaboration,kazuar


AI COMMENTARY :

1. ESET Research has revealed a groundbreaking collaboration between two of Russia’s most formidable APT groups, Gamaredon and Turla, both believed to operate under the FSB umbrella. This unprecedented partnership marks a significant shift in cyberespionage dynamics, as these adversaries have combined their respective strengths to target high-profile victims in Ukraine. The discovery underscores the evolving complexity of modern threat intelligence and highlights the blurred lines between individual APT operations when state-sponsored goals align.

2. Prior to this finding, Gamaredon and Turla conducted independent campaigns against government institutions and critical infrastructure. The new report, however, describes how Gamaredon’s wide-reaching compromises serve as the initial foothold for Turla’s advanced backdoor deployment. This strategic handoff represents the first known instance of two state-linked groups directly collaborating, leveraging each other’s unique capabilities to enhance operational success in Ukraine’s contested cyber landscape.

3. Central to this cooperation is the use of Gamaredon’s suite of custom tools—PteroGraphin, PteroOdd, PteroEffigy, PteroStew, and PteroPaste—to facilitate Turla’s intrusion. These utilities enable initial reconnaissance, data exfiltration, and lateral movement across networks compromised by Gamaredon. Once the groundwork is laid, Turla operators employ these vectors to restart Kazuar and establish persistent backdoor access, demonstrating a sophisticated choreography of malware and espionage tradecraft.

4. The report details multiple attack chains in which Turla reactivates Kazuar v3 on select hosts before deploying the earlier Kazuar v2 variant on additional targets. This dual-version strategy allows Turla to maintain continuous access while testing different backdoor builds under varying network conditions. The precision with which targets are chosen from Gamaredon’s broad compromises speaks to Turla’s selective approach, focusing only on high-value victims that warrant the complexity of their Kazuar backdoor implants.

5. This collaborative effort carries profound implications for the security community and organizations operating in Ukraine and beyond. By fusing Gamaredon’s volume-based targeting with Turla’s bespoke backdoor technology, the threat actors have created a force multiplier that could accelerate data theft and sabotage operations. Cyber defenders must enhance their threat intelligence feeds with indicators from both groups and adopt integrated monitoring for PteroGraphin and Kazuar traffic to detect similar campaigns early.

6. The Gamaredon-Turla partnership serves as a wake-up call that APT groups will not hesitate to pool resources to further shared geopolitical objectives. As nation-state cyber operations become more intertwined, security teams must foster cross-domain collaboration, invest in continuous threat hunting, and update incident response playbooks to address multi-stage, multi-actor intrusions. Vigilance and proactive intelligence sharing remain key to countering this new era of coordinated cyberespionage.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Gamaredon X Turla collaboration