Russian APT Groups Turla, Gamaredon Collaborate to Target High-Profile Ukrainian Entities

Researchers have uncovered the first concrete evidence of collaboration between two prominent Russian-backed APT groups: Gamaredon and Turla. 

In a new report, ESET researchers have detailed several instances when the two groups’ tools have been found on the same compromised machines in Ukraine and say that it’s likely that Gamaredon and Turla are actively working together in some fashion. The dual-compromised machines have only been found in Ukraine, the researchers said.

Both groups are known for their sophisticated cyberespionage activities and their affiliation with Russia's Federal Security Service (FSB), the country’s primary intelligence service. This newly uncovered cooperation marks a significant shift in their tactics, as they jointly target sensitive machines in Ukraine. Turla is by far the more active and well-known of the two groups, and is believed to be responsible for a wide range of intrusions and has a broad arsenal of tools and tactics at its disposal. 

Key Discoveries

• First Technical Link: In February 2025, ESET detected four instances in Ukraine involving both Gamaredon and Turla compromising the same machine. Notably, Gamaredon's tool, PteroGraphin, was observed being used to restart Turla's Kazuar v3 backdoor on one of these machines, suggesting a recovery mechanism employed by Turla through Gamaredon's implants. 
• Direct Deployment: Further evidence of collaboration emerged in April and June 2025, when ESET detected Kazuar v2 installers being directly deployed by Gamaredon's tools, specifically PteroOdd and PteroPaste. This confirms active cooperation between the two groups to gain access to specific Ukrainian systems. 
• Targeted Victimology: While Gamaredon is known for widespread compromises, Turla's victim count in Ukraine over the past 18 months is relatively low (seven machines), indicating that Turla is likely focusing on a smaller number of high-value targets, probably those containing highly sensitive intelligence. 

Attribution and Tools

• Gamaredon's Arsenal: ESET’s researchers attribute tools such as PteroLNK, PteroStew, PteroEffigy, and PteroGraphin exclusively to Gamaredon.
• Turla's Signature Malware: Similarly, Kazuar v2 and Kazuar v3 are believed to be exclusive to the Turla group. Kazuar v3 is the latest version of an advanced C# espionage implant first seen in 2016. 

ESET believes that the collaboration is "very likely" a result of Gamaredon providing access to Turla operators, allowing them to issue commands and deploy Kazuar variants. This lines up with Gamaredon's previous collaborations with other Russia-aligned threat actors, such as InvisiMole in 2020. Turla is also known for hijacking other threat actors' infrastructure to establish initial footholds, most notably in instances involving OilRig, Andromeda C&C domains, Amadey botnet, and SideCopy infrastructure. 

“Given that Gamaredon already collaborated with another Russia-aligned group, InvisiMole, it would not be surprising to see Gamaredon providing access to additional Russia-aligned APTs in the future."

While less likely, other hypotheses considered include Turla compromising Gamaredon's infrastructure, or Gamaredon independently deploying Kazuar on specific machines. [4] However, Gamaredon's typically noisy approach makes the latter less probable for highly targeted deployments. 

Geopolitical Context

Both Gamaredon and Turla are identified as components of the Russian FSB. Gamaredon is linked to Center 18 (Center for Information Security), while Turla is attributed to Center 16, the agency’s main signals intelligence arm. Historically, the KGB's 16th and 2nd Chief Directorates (predecessors to FSB's Center 16 and Center 18, respectively) frequently collaborated. 

“Then and now, such collaborations reflect the Russian strategic culture and philosophy of a natural continuity between internal security and national defense. Although Center 16 is still tasked with foreign intelligence collection and Center 18 is theoretically part of the FSB’s counterintelligence apparatus, both entities seem to maintain some mission overlaps – especially with regard to former Soviet republics,” the ESET report says. 

“In 2018, the Security Service of Ukraine (SBU) had already observed Centers 16 and 18 apparently conducting a joint cyberespionage campaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.”

The collaboration between Gamaredon and Turla represents a significant development in the cyber threat landscape, highlighting increased coordination among Russian state-sponsored actors targeting Ukraine.

“Given that Gamaredon already collaborated with another Russia-aligned group, InvisiMole, it would not be surprising to see Gamaredon providing access to additional Russia-aligned APTs in the future,” said Matthieu Faou, senior malware researcher at ESET.