Collaboration suspected between cybersecurity threats, Gamaredon and Turla teams, as per research findings
In a groundbreaking discovery, ESET Research has uncovered evidence of collaboration between two of Russia's most notorious cyber-espionage groups: Gamaredon and Turla. This marks the first time anyone has been able to link these two groups together via technical indicators.
ESET Researcher Zoltán Rusnák, along with Matthieu Faou, has shed light on this cooperative cyber-attack activity targeting high-profile Ukrainian entities. The collaboration between these groups, both linked to Russia's primary intelligence agency, the FSB, has been a subject of speculation for years, with a history that can be traced back to the Cold War era.
Turla, also known as Snake, has been active since at least 2004. Known for breaching major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014, Turla mainly focuses on high-profile targets such as governments and diplomatic entities in Europe, Central Asia, and the Middle East.
On the other hand, Gamaredon has been active since at least 2013, primarily responsible for attacks against Ukrainian governmental institutions. The compromise vector for Gamaredon's attacks is believed to be spearphishing and malicious LNK files on removable drives.
The latest branch of the Kazuar family, a C# espionage implant used exclusively by Turla, is Kazuar v3. ESET Research detected the execution of Turla's Kazuar backdoor by Gamaredon's PteroGraphin and PteroOdd on a machine in Ukraine in February 2025. PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically.
Other malware deployed by Gamaredon includes PteroLNK, PteroStew, and PteroEffigy. Gamaredon is operated by officers of Center 18 of the FSB in Crimea, part of the FSB's cybersecurity service.
The 2022 full-scale invasion of Ukraine has probably reinforced the convergence of Gamaredon and Turla's activities, with ESET data showing a focus on the Ukrainian defense sector in recent months.
Turla is attributed to Center 16 of the FSB, Russia's main signals intelligence agency, by the UK's National Cyber Security Centre. This collaboration between the two entities underscores the ongoing cyber threat posed by Russian intelligence agencies and the need for vigilance in the face of such activities.
Read also:
- Trump and Xi speak over the phone, according to China's confirmation.
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Strategies for Poland, Ukraine, and NATO to combat unmanned Russian aerial threats.
- Boost Your Generative Asset Safeguards: Qualys Improves TruRisk System with TotalAI for LLM Protection
