Zoltán Rusnák

Gamaredon X Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine

ESET researchers have uncovered the first technical evidence of operational collaboration between two of the most notorious Russia-aligned cyberespionage groups: Gamaredon and Turla. While both have previously been linked to the FSB, our observations mark the first time that Gamaredon is known to have actively facilitated Turla’s access to high-value Ukrainian targets. Between February and June 2025, we tracked multiple incidents where some Gamaredon custom tools – particularly PteroGraphin and PteroOdd – were used to deploy Turla’s flagship backdoor, Kazuar. In one case, PteroOdd was leveraged to install Kazuar v2; in another, it was used to restart a Kazuar v3 instance after Turla apparently lost access to the victim machines.

Gamaredon is currently the most active espionage group in Ukraine and it has been attributed by the Security Service of Ukraine to the 18th Center of Information Security of the FSB, operating out of occupied Crimea. In 2020, ESET researchers revealed that Gamaredon was already providing access to another Russia-aligned group that we named InvisiMole.

Turla, active since at least 2004 (and possibly the late 1990s), is a stealthy and technically sophisticated group. It is known for its complex implants such as the Snake rootkit and for hijacking other group’s tools and infrastructure, such as Iran-aligned OilRig and the Amadey botnet.

This presentation will:

• Provide an overview of Gamaredon’s latest TTPs, based on our extensive tracking of the group.
• Detail the technical evidence of Gamaredon’s collaboration with Turla.
• Analyze Kazuar v2 and v3 capabilities.
• Offer hypotheses on the strategic implications of this collaboration.

Attendees will leave with a better understanding of common TTPs used by Gamaredon and Turla, and the current state of Russian cyber-operations in Ukraine.

Zoltán Rusnák is a senior malware researcher at ESET, with a decade of experience in malware analysis and research. He has worked extensively on identifying and systematically monitoring major botnet families, including the infamous Emotet and Trickbot. His background in large-scale botnet tracking has been central to his current research on Gamaredon – one of the most active APT groups today – which has kept him busy for the past few years.