Russian cyber actors Gamaredon and Turla launch Kazuar backdoor operations against organizations

In a novel series of intrusions observed in Ukraine during the first half of 2025, researchers have documented the first known operational collaboration between two Russia-aligned threat groups, Gamaredon and Turla, to deploy and manage the advanced Kazuar backdoor on high-value targets.

Telemetry from ESET reveals a tightly choreographed sequence in which Gamaredon’s versatile Ptero* toolset provided entry and delivery mechanisms for Turla’s espionage implant, Kazuar.

PteroGraphin Restarts Kazuar v3

On a compromised workstation in Ukraine, Gamaredon’s PowerShell downloader PteroGraphin (present as %APPDATA%x86.ps1) retrieved and executed secondary payloads via encrypted Telegram pages.

Using a hardcoded 3DES key and IV, PteroGraphin decrypted content to launch the successor downloader PteroOdd.

Between February 27 and 28, PteroOdd fetched and executed Kazuar v3 by side-loading it into legitimate applications first via vncutil64.exe and then through LaunchGFExperience.exe with its accompanying DLL loader.

Memory analysis confirmed two distinct KERNEL-role Kazuar v3 payloads (agent labels AGN-RR-01 and AGN-XX-01), indicating redundant restart attempts.

The use of PteroGraphin as a recovery mechanism underscores Turla’s reliance on Gamaredon’s initial access to maintain persistence when Kazuar faltered.

April–June 2025 – Gamaredon Tools Deploy Kazuar v2

Subsequent detections in April and June demonstrated Gamaredon’s PteroOdd and PteroPaste downloaders directly installing Kazuar v2 on select machines. On April 18, PteroOdd fetched a script that staged the Kazuar v2 installer scrss.ps1 from a Cloudflare-hosted domain.

Analysis of the AGN-AB-26 sample revealed three WordPress-hosted C&C endpoints: abrargeospatial[.]ir, brannenburger-nagelfluh[.]de, and pizzeria-mercy[.]de, consistent with Turla’s preference for compromised WordPress infrastructure.

In early June, PteroPaste deployed ekrn.ps1 from an IP address masquerading as ESET’s legitimate ekrn.exe process, with identical C&C domains and agent label AGN-AB-27.

A VBScript variant of the Kazuar v2 installer, uploaded to VirusTotal from Kyrgyzstan, further suggests Turla’s expanding geographic focus beyond Ukraine.

The low number of Turla deployments, with only seven machines in 18 months, contrasts sharply with Gamaredon’s broad spear-phishing and malicious LNK campaigns, which have compromised thousands of hosts.

This disparity suggests that Turla selectively targets high-value networks while leveraging Gamaredon’s high-volume operations to establish initial footholds.

Both Gamaredon and Turla are attributed to separate FSB centers, Center 18 for Gamaredon and Center 16 for Turla, reflecting the FSB’s historical continuity and intra-agency cooperation.

Given prior evidence of Gamaredon facilitating InvisiMole access and Turla hijacking third-party infrastructure, the latest collaboration between Gamaredon and Turla appears to be a purposeful integration of access and espionage capabilities.

This synergy enables Turla to focus on precision intelligence collection using Kazuar while relying on Gamaredon’s noisy but effective compromise methods.

As nation-state operators increasingly interweave their toolsets, defenders must anticipate hybrid intrusion models that blend high-volume access brokers with elite espionage implants.

Incident responders should hunt for Ptero* artifacts in environments where Kazuar emerges, and security teams must prioritize detection of cross-family tool usage to uncover such joint campaigns.

IoCs

SHA-1	Filename	Detection	Description
7DB790F75829D3E6207D8EC1CBCD3C133F596D67	N/A	PowerShell/Pterodo.QB	PteroOdd.
2610A899FE73B8F018D19B50BE55D66A6C78B2AF	N/A	PowerShell/Pterodo.QB	PteroOdd.
3A24520566BBE2E262A2911E38FD8130469BA830	N/A	PowerShell/Pterodo.QB	PteroOdd.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Russian cyber actors Gamaredon and Turla launch Kazuar backdoor operations against organizations appeared first on Cyber Security News.