Gamaredon X Turla collab www.welivesecurity.com/en/eset-r…
In this blogpost, we uncover the first known cases of collaboration between Gamaredon and Turla, in Ukraine.
Key points of this blogpost: In February 2025, we discovered that the Gamaredon tool PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine. In April and June 2025, we detected that Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste. These discoveries lead us to believe with high confidence that Gamaredon is collaborating with Turla. Turla’s victim count is very low compared to the number of Gamaredon compromises, suggesting that Turla choose the most valuable machines. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency.
