Cybersecurity experts — including CISA — are sounding the alarm! The infamous Russian hacker rings Turla and Gamaredon have teamed up to unleash the Kazuar backdoor on targets in Ukraine. This announcement comes at a time when the increasing cyber threats against Ukrainian infrastructure have accelerated—especially in the wake of rising geopolitical tensions in the area.
Turla, aka Snake, has been active since at least 2004. A few cite its roots as far back as the late 90s. Hacking of the DNC and other political organizations The group is suspected to have deep ties to the Russian Federal Security Service (FSB). They specifically go after high-value targets, including government agencies and diplomatic missions around Europe, Central Asia, and the Middle East.
During the last year and a half, researchers from Microsoft’s Defending Democracy Program have found Turla-related indicators on seven machines in Ukraine. These conclusions align with another recent Gamaredon breach, which affected four machines by January of 2025. By the end of February 2025, we pushed out the most recent version of Kazuar, called Kazuar v3. This collective action was a major step up in the coordinated cyberattacks.
Kazuar Malware: A Persistent Threat
Kazuar has become a distinct staple tool in Turla’s arsenal, known for its constant updates and advanced abilities to target. The malware is structured on Microsoft’s .NET framework, granting it the capacity to function in stealth mode while maliciously hunting for key systems. In earlier versions, Kazuar used Amadey bots to deploy a backdoor named Tavdig. This backdoor then drops other payloads.
As we discussed last month, the partnership between Turla and Gamaredon has been a shining example of cooperation. According to ESET researchers Matthieu Faou and Zoltán Rusnák, “We now believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla.” This relationship allows Turla to use advanced initial infiltration methods developed by Gamaredon to infiltrate Ukrainian-targeted systems.
In March 2025, ESET identified another PteroOdd sample on another machine located in Ukraine. This breakthrough proves that Kazuar was in the building during the assault as well. Gamaredon used a sophisticated deployment chain. They used PteroGraphin to download a PowerShell downloader called PteroOdd, which subsequently downloaded a payload from Telegraph to run Kazuar.
Attack Patterns and Recent Developments
The tactics used by these hacker organizations reveal a distinct pattern of collusive intermediation. On June 5 and 6, 2025, ESET detected a third attack chain. In this case, the ultimate downloader deployed and installed Kazuar v2 was a PowerShell downloader named PteroPaste.
ESET provided insight into the functionality of PteroGraphin, stating, “PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically.” This means that Turla is doing an excellent job of using PteroGraphin as an evasion and recovery tool to guarantee persistent access to their compromised systems.
In fact, early artifacts tied to Kazuar have been seen in the wild as far back as 2016. This long operational history further highlights the efficacy of this malware’s persistence and adaptability, making it a highly capable cyber espionage tool.
Implications for Cybersecurity in Ukraine
The implications of this collaboration between Turla and Gamaredon are far-reaching for Ukraine’s cybersecurity landscape. With state and non-state actors actively working to destroy Ukrainian infrastructure, concerned federal agencies are called to strengthen their safeguards against possible violations. These attacks are highly coordinated and complex, highlighting an unprecedented threat. We need to be thinking about holistic cybersecurity approaches to address these threats from all angles.
With the situation rapidly changing, cybersecurity companies are working around the clock to keep a pulse on activity associated with these hacker groups. The knowledge and skill it would take to mitigate all these advanced attacks requires a global alliance of cybersecurity experts.