Top Russian Hacker Groups United while Gamaredon & Turla Targeting Ukraine
Top Russian Hacker Groups United while Gamaredon & Turla Targeting Ukraine
“Russian hackers are now set to give it their all to penetrate Ukraine’s systems to weaken their security.”
An Uncommon Combination of Two Prolonged Espionage Activities
Ukraine has served as a test site for Russian cyber operations for over ten years. According to new information, Gamaredon and Turla, two of Moscow’s most infamous hacker organizations, are not only cooperating directly but also operating in parallel to breach Ukrainian systems.
This week, the Slovak cybersecurity company ESET published a study that described how Turla’s Kazuar backdoor was installed on numerous Ukrainian endpoints early this year using Gamaredon’s in-house malware tools.
The discovery suggests a significant change in Russia’s cyber strategy: a seeming convergence of organizations that have a history of conducting separate, but occasionally related, activities. Since 2013, Gamaredon, also known as Armageddon, has been active, often targeting Ukrainian government networks with its savage yet relentless attacks.
The more advanced espionage group Turla, on the other hand, has a history of breaking into Western diplomatic and defense contractors dating back to the late 1990s. The Federal Security Service, or FSB, of Russia is associated with both organizations.
From Kazuar to PteroGraphin: A Chain of Coordinated Attacks
The sequence that ESET saw took place in February 2025 when Turla’s Kazuar backdoor was opened by Gamaredon’s PowerShell-based program PteroGraphin. According to investigators, the tool was used to restart Kazuar v3 following an unsuccessful or insufficient installation.
The pattern was repeated in April and June. PteroOdd and PteroPaste, two more Gamaredon malware families, were found to be installing previous Kazuar versions on other Ukrainian computers.
Every link in the chain demonstrated a division of labor: Turla embedded its much more sophisticated surveillance implant, while Gamaredon secured entrance points with portable downloaders.
First discovered in 2016, Kazuar is a. NET-based backdoor that can communicate with attackers via a variety of channels, including web sockets and Exchange Web Services, exfiltrate system data, and create persistence.
According to ESET’s investigation, the most recent version has about one-third more code than the previous one, indicating ongoing development.
Convergence in the Face of Persistent Conflict
Following Russia’s full-scale invasion of Ukraine in 2022, which sparked both military and cyberattacks, the cooperation seems to have accelerated. Turla seems to be using these footholds to implant its more strategic espionage tools, while Gamaredon bombards Ukrainian targets with spear-phishing operations and USB-based proliferation.
Over the course of the last 18 months, Turla-linked malware has infiltrated seven PCs, four of which Gamaredon initially gained access to. Analysts claim that despite the episodes’ limited number, they represent a unique tactical convergence amongst groups that had previously used diverse targets and tactics.
It’s unclear if this is an ad hoc arrangement or a component of a larger Russian intelligence plan. The ramifications, however, are evident to Ukrainian defenders and their Western allies: Russia’s cyber forces are becoming more unified, and underestimating their combined might could have serious consequences.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
About Author
English