Full Report
ESET researchers show how Gamaredon facilitated Turla access to Ukrainian targets, revealing rare cooperation between FSB-linked espionage groups.
Analysis Summary
# Threat Actor: Gamaredon (facilitating Turla)
## Attribution & Identity
* **Actor Name:** Gamaredon
* **Aliases:** Primitive Bear, ACTINIUM, Armageddon, Shuckworm, Trident Ursa.
* **Associated Groups:** Turla (Venomous Bear, Waterbug, Iron Hunter).
* **Affiliation:** Linked to the Russian Federal Security Service (FSB).
* **Collaboration:** Recent findings indicate Gamaredon acts as an "access broker" or facilitator for Turla, a more sophisticated FSB-linked espionage unit.
## Activity Summary
Between February and June 2025, researchers observed a rare "espionage alliance" where Gamaredon facilitated access for Turla into high-value Ukrainian targets. Gamaredon used its high-volume, aggressive initial access tradecraft to compromise systems, subsequently deploying Turla’s advanced Kazuar backdoor. In specific instances, when Turla lost access to a target, Gamaredon’s tooling was used to re-infect the system and restore Turla’s foothold.
## Tactics, Techniques & Procedures
* **Initial Access:** Relentless spearphishing campaigns.
* **Operational Tempo:** Characterized by "fast operational tempo" and high-volume attacks suited for a wartime environment.
* **Lateral Movement/Persistence:** Use of lightweight custom scripts and tools to maintain presence.
* **Access Brokering:** Establishing initial footholds and handing off access to more sophisticated actors (Turla) for deep-dive espionage.
* **Redundancy:** Re-establishing access for partner groups after remediation efforts.
* **TTPs observed:**
* Deployment of multi-stage downloaders.
* Use of custom-built implants for information gathering.
## Targeting
* **Sectors:** Military and Government organizations.
* **Geography:** Ukraine.
* **Victims:** High-value Ukrainian state entities.
## Tools & Infrastructure
* **Malware Families (Gamaredon):**
* **PteroGraphin:** Custom tooling used for initial stages and access maintenance.
* **PteroOdd:** Specialized tool used in the deployment chain for secondary payloads.
* **Malware Families (Turla - deployed via Gamaredon):**
* **Kazuar (v2 and v3):** Turla’s flagship backdoor, a sophisticated espionage platform used for post-compromise exploitation.
* **Infrastructure:**
* Rapidly shifting C2 domains and IP addresses to evade detection.
* *Note: Specific defanged IPs/URLs were not provided in the summary text, but the actor is known for using Telegram and cloud services for C2 discovery.*
## Implications
This collaboration signals a shift in Russian cyber operations toward a "division of labor." By using Gamaredon as a "loud" front-end to handle the noisy work of initial infection and persistent access, Turla can reserve its advanced (and more easily "burned") implants, like Kazuar, for high-priority exploitation. This synergy makes remediation significantly more difficult, as removing a Turla implant may be futile if Gamaredon’s "maintenance" tools remain in the network.
## Mitigations
* **Aggressive Phishing Defense:** Implement robust email filtering and user awareness training specifically targeting themes related to the Ukrainian conflict.
* **Hunt for "Loud" Indicators:** Monitor for Gamaredon’s typically noisy Ptero-family scripts; their presence may be a precursor to a more silent Turla infection.
* **Persistent Foothold Auditing:** If Gamaredon/PteroGraphin is detected, conduct a deep-dive forensic audit to ensure sophisticated backdoors (like Kazuar) have not been dropped.
* **Network Segmentation:** Protect high-value government and military data behind strict access controls to prevent lateral movement following a spearphishing success.