Two Russian state-sponsored threat actors have been working together in recent cyberattacks against Ukrainian targets, evidence collected by ESET suggests.
Specifically, the company found that, between February and April 2025, tools that Gamaredon had deployed were used to restart and deploy Turla malware on the systems of select victims in Ukraine.
Turla, also known as Krypton, Snake, Venomous Bear, and Waterbug, has been active since at least 2004, focusing on high-profile targets, including diplomats and government entities in Europe, Central Asia, and the Middle East.
Gamaredon, also known as Armageddon, BlueAlpha, Blue Otso, Callisto, Iron Tilden, Primitive Bear, Sector C08, and Winterflounder, has been active since at least 2013, mainly targeting individuals and organizations in Ukraine.
Gamaredon is believed to have conducted thousands of intrusions against Ukrainian entities. This year, on four of the compromised machines, ESET discovered that the APT’s tools were used to issue commands to and deploy Turla implants.
In February 2025, Gamaredon’s PteroGraphin tool was used as a recovery method to restart Turla’s Kazuar espionage implant, likely after it crashed, ESET says. In April, Gamaredon’s PteroOdd and PteroPaste were used to deploy Kazuar v2 installers.
“It is worth noting that, prior to this, the last time we detected a Turla compromise in Ukraine was in February 2024. All those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence,” ESET notes.
The cybersecurity firm assesses with strong confidence that the two state-sponsored groups are working together: it is unlikely that Turla has reproduced Gamaredon’s infection chain to abuse its tools, or that Gamaredon has access to Kazuar.
Additionally, ESET points out, both operations are run by officers of the Russian intelligence service FSB, albeit Gamaredon is associated with Center 18 (the Center for Information Security in Crimea) and Turla with Center 16 (Russia’s main signals intelligence agency).
“From an organizational perspective, it is worth noting that the two entities commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era,” ESET notes.
Related: US Offers $10 Million for Three Russian Energy Firm Hackers
Related: Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users
Related: US Sanctions Russian National, Chinese Firm Aiding North Korean IT Workers
Related: Russian APT Exploiting 7-Year-Old Cisco Vulnerability: FBI
