ESET researchers presented technical evidence that Gamaredon helped Turla access high-value Ukrainian targets, including deploying the Kazuar backdoor and restoring access after Turla lost its foothold. The presentation also examined Gamaredon’s spearphishing-driven tradecraft and the evolution of Turla’s Kazuar v2 and v3 implants. #Gamaredon #Turla #Kazuar #PteroGraphin #PteroOdd
Keypoints
- ESET researchers Matthieu Faou and Zoltán Rusnák presented the first technical evidence that Gamaredon actively facilitated Turla’s access to high-value Ukrainian targets.
- Between February and June 2025, Gamaredon tooling was observed deploying Turla’s Kazuar backdoor on already compromised systems.
- In at least one incident, Gamaredon restored Turla’s access after the group appeared to have lost its foothold.
- The activity suggests operational collaboration or labor division between two Russian cyberespionage groups, with one maintaining access and the other deploying a more advanced implant.
- Gamaredon remains one of the most active espionage actors targeting Ukraine, relying on spearphishing, custom tooling, and rapid operations against military and government organizations.
- The talk also analyzed Kazuar v2 and v3, highlighting Turla’s operational priorities and the persistence of its malware inside contested networks.
MITRE Techniques
- [T1566.001 ] Spearphishing Attachment – Gamaredon relied on spearphishing to compromise targets, delivering malicious access through targeted emails (‘the group relies on relentless spearphishing’).
- [T1105 ] Ingress Tool Transfer – Gamaredon tooling was used to deploy Turla’s Kazuar backdoor onto compromised systems (‘Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor’).
- [T1219 ] Remote Access Software – Turla’s Kazuar backdoor functioned as a persistent remote access implant to maintain control inside victim environments (‘Turla’s Kazuar backdoor’).
- [T1078 ] Valid Accounts – The report describes Turla regaining access after losing its foothold, implying reuse or restoration of access to already compromised systems (‘restore Turla’s access after the group appeared to have lost its foothold’).
Indicators of Compromise
- [Malware/Tool names ] tooling and implants used in the activity – PteroGraphin, PteroOdd, Kazuar
- [Threat actor names ] actors involved in the collaboration – Gamaredon, Turla
- [Date range ] observed incident window – February 2025, June 2025
- [Organizations/targets ] affected target environments referenced in the talk – Ukrainian military organizations, Ukrainian government organizations