Matthieu Faou

Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine

ESET researchers have uncovered the first technical evidence of operational collaboration between two of the most notorious Russia-aligned cyberespionage groups: Gamaredon and Turla. While both have previously been linked to the FSB, our observations mark the first time that Gamaredon is known to have actively facilitated Turla’s access to high-value Ukrainian targets. Between February and June 2025, we tracked multiple incidents where some Gamaredon custom tools — particularly PteroGraphin and PteroOdd — were used to deploy Turla’s flagship backdoor, Kazuar. In one case, PteroOdd was leveraged to install Kazuar v2; in another, it was used to restart a Kazuar v3 instance after Turla apparently lost access to the victim machines.

Gamaredon is currently the most active espionage group in Ukraine and it has been attributed by the Security Service of Ukraine to the 18th Center of Information Security of the FSB, operating out of occupied Crimea. In 2020, ESET researchers revealed that Gamaredon was already providing access to another Russia-aligned group that we named InvisiMole.

Turla, active since at least 2004 (and possibly the late 1990s), is a stealthy and technically sophisticated group. It is known for its complex implants such as the Snake rootkit and for hijacking other group’s tools and infrastructure, such as Iran-aligned OilRig and the Amadey botnet.

This presentation will:

• Provide an overview of Gamaredon’s latest TTPs, based on our extensive tracking of the group.
• Detail the technical evidence of Gamaredon’s collaboration with Turla.
• Analyze Kazuar v2 and v3 capabilities.
• Offer hypotheses on the strategic implications of this collaboration.

Attendees will leave with a better understanding of common TTPs used by Gamaredon and Turla, and the current state of Russian cyber-operations in Ukraine.

Matthieu Faou is a senior malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including Black Hat USA, BlueHat, Botconf, CYBERWARCON, NorthSec, and Virus Bulletin.