Gamaredon and Turla Collaborate for First Time in Ukraine, ESET Reveals

ESET researchers have uncovered the first known collaboration between two Russian FSB-linked threat actors, Gamaredon and Turla, in Ukraine. The discovery, detailed in a blogpost published on September 19, 2025, reveals that Gamaredon's tools were used to deploy and restart Turla's Kazuar backdoor on compromised machines in Ukraine between February and June 2025. This marks a significant escalation in Russian cyberespionage operations, as the two groups—previously thought to operate independently—are now sharing access and tools to target high-value Ukrainian systems.

The collaboration was first detected in February 2025, when ESET telemetry identified four machines in Ukraine compromised by both Gamaredon and Turla. On one of these machines, ESET captured a payload showing that Gamaredon's PteroGraphin tool was used to restart Turla's Kazuar v3 backdoor, likely after it crashed or failed to launch automatically. This is the first technical evidence linking the two groups. In April and June 2025, ESET observed Kazuar v2 being deployed directly via Gamaredon tools PteroOdd and PteroPaste, further confirming the partnership.

Gamaredon, active since at least 2013, is attributed by the Security Service of Ukraine to Center 18 of the FSB, operating out of occupied Crimea. The group is known for widespread attacks against Ukrainian government institutions, often using spearphishing and malicious LNK files. Turla, also known as Snake, has been active since at least 2004 and is attributed to Center 16 of the FSB, Russia's main signals intelligence agency. Turla focuses on high-profile targets such as governments and diplomatic entities, and has previously breached the US Department of Defense and Swiss defense company RUAG.

The victimology of the operation reveals a stark contrast in scale. Over the past 18 months, ESET detected Turla on only seven machines in Ukraine, while Gamaredon compromises hundreds or thousands. This suggests that Turla selectively leverages Gamaredon's broad access to target machines containing highly sensitive intelligence. The last Turla compromise in Ukraine prior to this was in February 2024, indicating a renewed focus on the region.

ESET proposes three hypotheses for the collaboration. The most likely is that Gamaredon provided access to Turla operators, allowing them to issue commands on specific machines to restart Kazuar and deploy Kazuar v2. This is consistent with Gamaredon's history of collaborating with other Russia-aligned actors, such as InvisiMole, as documented by ESET in 2020. Alternatively, Turla may have hijacked Gamaredon's infrastructure, as Turla is known for hijacking other threat actors' infrastructure—including OilRig, Andromeda, Amadey, and SideCopy—to gain initial access. A third, unlikely hypothesis is that Turla compromised Gamaredon infrastructure.

The collaboration underscores the evolving Russian cyberespionage operations in Ukraine, where multiple FSB-linked groups are now coordinating to maximize impact. By combining Gamaredon's broad access with Turla's sophisticated backdoors, the actors can more effectively target high-value systems while maintaining operational security. The findings underscore the need for defenders to monitor for indicators of both groups and to recognize that initial compromises by lower-tier actors may be a precursor to more advanced intrusions.