Full Report
Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine
Analysis Summary
# Threat Actor: Gamaredon and Turla Collaboration
## Attribution & Identity
**Gamaredon:** Attributed by the Security Service of Ukraine (SSU) to the Center 18 of Information Security of the FSB (Russia’s domestic intelligence and security agency), operating out of occupied Crimea. Active since at least 2013. Believed to collaborate with threat actor InvisiMole.
**Turla (Snake):** Infamous cyberespionage group, also thought to be part of the FSB. Active since at least 2004 (possibly earlier).
## Activity Summary
ESET discovered collaboration between Gamaredon and Turla in Ukraine in early 2025. This marks the first known technical linkage between the two FSB-associated groups, where Gamaredon facilitated Turla operations on compromised machines.
Key incidents include:
* **February 2025:** Gamaredon's tool **PteroGraphin** was used to restart Turla's **Kazuar** backdoor on a victim machine.
* **April & June 2025:** **Kazuar v2** installers were deployed using Gamaredon tools (**PteroOdd** and **PteroPaste**).
* Turla appears to focus operations on the most valuable machines, while Gamaredon achieves a much higher volume of compromises.
* In observed co-compromises, Gamaredon deployed a suite of its own tools (PteroLNK, PteroStew, PteroOdd, PteroEffigy, PteroGraphin), and Turla deployed **Kazuar v3** (and later Kazuar v2).
## Tactics, Techniques & Procedures
**Infection/Execution (Presumed initial vector):**
* Spearphishing.
* Malicious LNK files on removable drives (Gamaredon's known initial access method).
**Command & Control (C2):**
* [T1071.001] Application Layer Protocol: Web Protocols (Used by PteroGraphin and Kazuar).
* [T1573.001] Encrypted Channel: Symmetric Cryptography (PteroGraphin uses 3DES to decrypt C&C reply).
* [T1102] Web Service (Use of legitimate web services like Telegra.ph).
**Execution:**
* [T1059.001] Command and Scripting Interpreter: PowerShell (PteroGraphin is developed in PowerShell).
**Persistence:**
* [T1574.002] Hijack Execution Flow: DLL Side-Loading (Used by Kazuar loaders).
**Defense Evasion:**
* [T1140] Deobfuscate/Decode Files or Information (Kazuar payload is XOR encrypted, strings encrypted via substitution tables).
* [T1480.001] Execution Guardrails: Environmental Keying (Kazuar loaders decrypt payloads using the machine name as a key).
* [T1036.005] Masquerading: Match Legitimate Name or Location (Kazuar loaders hidden in directories like C:\Program Files (x86)\Brother Printer\App\ or %LOCALAPPDATA%\Programs\Sony\Audio\Drivers\).
**Discovery:**
* [T1057] Process Discovery (PowerShell script starting Kazuar v3 sends running process list).
* [T1012] Query Registry (Getting PowerShell version).
* [T1082] System Information Discovery (Exfiltrating last boot time, OS version/architecture).
* [T1083] File and Directory Discovery (Listing files in %TEMP% and %APPDATA%\Microsoft\Windows).
## Targeting
* **Sectors:** Primarily mentioned are **governmental institutions**. Turla's typical targeting (governments, diplomatic entities) suggests high-value government assets were selected even within Gamaredon’s usual scope.
* **Geography:** **Ukraine**.
* **Victims:** High-profile targets in Ukraine. Specific organization names were not detailed beyond general governmental institutions.
## Tools & Infrastructure
* **Gamaredon Tools:** PteroGraphin, PteroOdd, PteroPaste, PteroLNK, PteroStew, PteroEffigy.
* **Turla Tools:** Kazuar (v2 and v3).
* **Infrastructure:** C2 communication utilizes HTTPS and legitimate web services (Telegra.ph). Encryption methods include 3DES and XOR encoding.
## Implications
The confirmed collaboration between Gamaredon (known for high-volume, wide-ranging attacks) and Turla (known for highly focused, sophisticated espionage) suggests a tiered approach to targeting high-value entities within Ukraine. Gamaredon may be serving as an initial access broker or reconnaissance layer, effectively handing off confirmed high-value targets to the more specialized Turla team for final compromise via Kazuar. This synergy increases the resilience and operational complexity of attacks against Ukrainian entities.
## Mitigations
* Implement robust endpoint detection and response capable of detecting PowerShell execution, DLL side-loading techniques, and file masquerading.
* Monitor for post-compromise activity using Gamaredon tools like PteroGraphin for unexpected restarts of suspected backdoors.
* Enhance detection for lateral movement or C2 communication attempting to use legitimate web services (e.g., Telegra.ph).
* Strengthen defenses against phishing and malicious removable media usage, as these remain likely initial infection vectors for the Gamaredon component.