Cybersecurity researchers have identified evidence that two Russian hacking groups Gamaredon and Turla work together to target and collaborate with Ukrainian groups.
Slovak Cybersecurity Company ESET said that in February 2025 the Gamaredon Tools Pterographin and Pteroodd, which are used to run the Kazuar Backdoor of Turla Group on Ukrainian endpoints, were observed.
“Pterographin was used to restart the Kazuar V3 backdoor, possibly after it crashed or not launched automatically,” ESET said in a report shared with Hacker News. “Therefore, Pterographin was probably used as a recovery method by Turla.”
In another example in April and June 2025, ESET also said it had detected Kazuar V2 deployment through two other Gamaredon malware families tracked as Pteroodd and Pteropaste.
Gammerderson (aka Aqua Blizzard and Armageddon) and Tara (aka Secret Blizzard and the toxic bear) are rated as partnering with the Russian Federation Security Bureau (FSB) and are known for attacks targeting Ukraine.
“Gummerderson has been active since at least 2013. He is primarily responsible for many attacks on Ukrainian government agencies,” ESET said.
“Tara, also known as Snake, is an infamous cyberspy group that has been active since at least 2004 and has been extended to the late 1990s. It focuses primarily on well-known targets such as governments and diplomatic groups in Europe, Central Asia and the Middle East.
The cybersecurity company says that a full-scale Russian invasion in Ukraine in 2022 is likely to drive this convergence, with the attacks focusing primarily on Ukraine’s defense sector in recent months.
One of Turla’s classic implants is Kazuar. This is a frequently updated malware that previously used Amadey bots to deploy a backdoor called Tavdig. Early malware-related artifacts have been discovered in the wild by 2016, on a per Kaspersky basis.
Meanwhile, Pterographin, Pteroodd, and Pteropaste are part of the growing arsenal of tools developed by Gameardeon to provide additional payloads. Pterographin is a PowerShell tool that uses Microsoft Excel Add-in and scheduled tasks as persistence mechanisms and uses the Telegraph API for Command and Control (C2). It was first discovered in August 2024.
The exact initial access vectors used by Gameardon is not clear, but the group has a history of using spear phishing and malicious LNK files on removable drives using tools for propagation such as Pterolnk.
Overall, over the past 18 months, Turla-related metrics have been detected on seven Ukrainian machines, four of which were violated by Gamaredon in January 2025. It is said that the latest version of Kazuar V3 was released until the end of February.
“Kazuar V2 and V3 are fundamentally the same malware family and share the same codebase,” ESET said. “Kazuar V3 is made up of approximately 35% C# lines than Kazuar V2, and introduces additional network transport methods. We’ll show you the WebSocketsand Exchange web service.”
The attack chain included the deployment of Pterographin. It was used to download a Powershell downloader called Pteroodd and ran Kazuar by getting the payload from Telegraph. The payload is designed to collect and remove the victim’s computer name and the serial number of the system drive volume into the CloudFlare worker subdomain before launching Kazur.
That being said, it is important to note that there are indications that Gandan downloaded Kazuar, as it has been said that backdoors have been in the system since February 11, 2025.
In signs that this is not an isolated phenomenon, ESET revealed that in March 2025 it had identified another Pteroodd sample on another machine in Ukraine, where Kazuar also existed. Malware can harvest a wide range of system information along with a list of installed .NET versions and send it to an external domain (“eset.ydns[.]european union”).
Gameardon’s toolset lacks .NET malware, and the fact that Turla’s Kazuar is based on .NET suggests that this data collection step is likely intended for Turla.
The second set of attacks was detected in mid-April 2025 when another PowerShell downloader was dropped using Pteroodd.[.]EU “The domain that provides Kazuar V2 (“scrs.ps1”) documented by Palo Alto Networks in the second half of 2023.
ESET said that the third attack chain was also detected on June 5th and 6th, 2025. A PowerShell Downloader called Pteropaste is used to drop and install Kazuar V2 (“ekrn.ps1”) from the domain “91.231.182.”[.]187 “On two machines in Ukraine. The use of the name “Ekrn” is an attempt by a threat actor under the guise of “Ekrn.exe,” a legitimate binary associated with ESET endpoint security products.
“We believe that both groups are now associated individually with the FSB – working together, and that Gangon offers early access to Turla,” said ESET researchers Matthieu Faou and Zoltán Rusnák.
Source link
