Threat Intel

Two Russian hacking groups, Gamaredon and Turla, are collaborating to target Ukrainian entities, deploying the Kazuar backdoor.
ESET observed Gamaredon’s tools PteroGraphin and PteroOdd being used to execute Turla’s Kazuar backdoor on a Ukrainian endpoint in February 2025.
PteroGraphin was likely used by Turla as a recovery method to restart the Kazuar v3 backdoor.
In separate instances in April and June 2025, ESET detected the deployment of Kazuar v2 through Gamaredon’s malware families PteroOdd and PteroPaste.
Both Gamaredon and Turla are affiliated with the Russian Federal Security Service (FSB) and have a history of targeting Ukraine.
Gamaredon has been active since at least 2013, primarily attacking Ukrainian governmental institutions.
Turla, also known as Snake, has been active since at least 2004, focusing on high-profile targets like governments and diplomatic entities.
Russia’s full-scale invasion of Ukraine in 2022 likely fueled the collaboration between Gamaredon and Turla, with recent attacks focusing on the Ukrainian defense sector.
Kazuar is a frequently updated malware used by Turla, with versions dating back to 2016.
Gamaredon’s tools, including PteroGraphin, PteroOdd, and PteroPaste, are used to deliver additional payloads and maintain persistence on targeted systems.