Russian Hackers Gamaredon and Turla Team Up to Deploy Kazuar Backdoor in Ukraine

Russian hackers Gamaredon and Turla have been caught working together in a cyber campaign against Ukraine. This finding comes from cybersecurity company ESET, which uncovered the link after noticing Gamaredon’s tools being used to deliver Turla’s Kazuar backdoor. The activity was observed between February and June 2025, and researchers believe it shows direct collaboration rather than coincidence.

Gamaredon used three of its custom tools, named PteroGraphin, PteroOdd, and PteroPaste, to drop Kazuar on at least one Ukrainian machine. This means one group handled the initial compromise, while the other deployed its more advanced malware for persistence and spying. Such a handoff is a strong sign of cooperation between the two groups.

Kazuar itself is a powerful cross-platform backdoor created by Turla. It can steal files, capture screenshots, run remote commands, and act as a proxy through infected devices. Its design also allows it to hide effectively from security tools, making it a serious threat for long-term espionage.

Gamaredon, also known as Armageddon or Hive0051, is infamous for noisy and aggressive attacks, mainly through phishing campaigns. Their operations often focus on Ukrainian government and defense targets. Turla, sometimes called Pensive Ursa, is older and more advanced, specializing in stealthy, long-lasting cyber-espionage missions. Both have been linked by researchers to Russia’s FSB intelligence service.

This partnership matters because it combines different strengths. Gamaredon spreads quickly and compromises many systems, but its methods are usually easy to detect. Turla, on the other hand, is highly skilled at staying hidden and collecting intelligence silently. Together, they create a threat that is fast, stealthy, and much harder to defend against.

ESET stressed that this is not just about reusing tools. The clear sequence of Gamaredon’s malware delivering Turla’s Kazuar backdoor proves active coordination. It is one of the clearest signs yet of Russian cyber groups directly working together in Ukraine. For defenders, this sets a dangerous precedent.

Experts recommend that organizations watch closely for signs of Gamaredon and Turla activity. Indicators linked to PteroGraphin, PteroOdd, PteroPaste, and Kazuar should be treated as high priority. Blocking malicious command-and-control servers, using advanced endpoint detection, and applying network segmentation are some of the most effective defensive steps.

The discovery shows how Russian groups are adapting their tactics to increase their impact. By joining forces, they can move from initial compromise to long-term surveillance faster than before. For Ukraine and organizations connected to it, this raises the threat level even further and highlights the urgent need for stronger cyber defenses.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news