Two Russian state-linked threat actors, Gamaredon and Turla, are working together to compromise high-value defense targets in Ukraine, according to a new report by ESET.
These collaborations involve the shared use of tools in campaigns during 2025 and reflects a wider strategic culture within Russia’s internal security and national defense.
In four attacks observed in February, ESET captured a payload showing that Turla was able to issue commands via Gamaredon implants.
The downloader tool PteroGraphin, thought to be exclusive to Gamaredon, was used to restart Turla’s Kazuar backdoor malware. Therefore, it is likely PteroGraphin was used as a recovery method by Turla, possibly after Kazuar crashed or was not launched automatically.
Kazuar was used to download machine data, including victim’s computer name and username, list of running processes, OS version and lists of files and directories in various locations.
In April and June 2025, Kazuar v2 installers were deployed directly by Gamaredon tools.
These discoveries have led the researchers to conclude with high confidence that the two groups are collaborating.
“This is the first time that we have been able to link these two groups together via technical indicators,” the ESET researchers noted in the report published on September 19.
“The 2022 full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months,” they added.
Collaborating FSB Groups with Different Targeting Strategies
Gamaredon and Turla are believed to be affiliated to the Russian Federal Security Service (FSB).
Both groups have been highly active since Russia’s invasion of Ukraine in 2022.
While Gamaredon has been observed compromising “hundreds if not thousands of machines,” Turla has only been detected on seven machines in Ukraine in the past 18 months. This suggests the group is only interested in specific machines, probably ones containing highly sensitive intelligence, the researchers noted.
Both actors are focused on cyber-espionage.
Gamaredon has been active since at least 2013, mostly targeting Ukrainian governmental institutions.
Turla has been active since at least 2004, possibly extending back to the late 1990s. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia and the Middle East.
In addition to the attacks detected in February, April and June, the researchers observed other cases of Gamaredon tools being present on machines in Ukraine where Kazuar was also present.
