It’s even been reported that Russian hacking groups Turla and Gamaredon have consolidated their operations. Collectively, they are using a highly complex malware known as Kazuar against Ukraine. The joint effort is a dangerous step up in cyber warfare strategy, hitting important Ukrainian infrastructures with the risk of affecting our national security. Kazuar has been under active development since at least 2016. Its deployment underscores the new and dynamic nature of cyber threats against our critical infrastructures.
Turla, also known as Secret Blizzard or Venomous Bear, has links to the Russian Federal Security Service (FSB) and has been operational since at least 2004, with some analysts suggesting its activities date back to the late 1990s. The group mostly goes after big-name corporations. Their main targets are European and Central Asian governments and diplomatic missions located in the Middle East.
Evolution of Kazuar Malware
Kazuar is one of Turla’s most prominent implants, known for its continuous development and multipurpose capabilities. Kazuar v3 deployed around the end of February 2025. In fact, it has been heavily incorporated into recent attacks on Ukrainian infrastructures. Kazuar functions as a remote access tool (RAT), enabling attackers to remotely control infected systems.
ESET’s cybersecurity research team has reported multiple instances of Kazuar’s deployment in Ukraine, particularly in conjunction with other malware such as the Amadey bots. These bots were used by Turla to install a backdoor called Tavdig, which then drops the .NET-based Kazuar tool.
“PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically,” – ESET
The use of Kazuar in the cyberattack about mentioned, reinforces the strategic partnership between Turla and Gamaredon. Their collective manpower and algorithms allow them to carry out sophisticated strikes that make detection and mitigation challenging even for the best cybersecurity experts.
Recent Attacks and Indicators
Over the last 1 and a half years, ESET found Turla-related indicators in 7 machines in Ukraine. This finding makes clear a concerted, sustained campaign against the country’s digital infrastructure. By January of 2025, Gamaredon had gained a foothold on four machines, creating a perfect launch pad for future incursions.
ESET detected a second wave of attacks at the beginning of mid-April 2025. Throughout this time, they saw the widespread use of PteroOdd. This tool was utilized to deliver yet another PowerShell downloader known as PteroEffigy. Together these suggest a targeted methodology to identify and compromise systems and maintain long-term access for Turla’s Kazuar malware.
“Thus, PteroGraphin was probably used as a recovery method by Turla.” – ESET researchers Matthieu Faou and Zoltán Rusnák
This collaborative effort highlights the effective use of various malware tools to maintain persistent access and control over targeted networks. Further, the use of several simultaneous attack vectors begs the question of how prepared and resilient are Ukraine’s cybersecurity defenses to such coordinated, multi-pronged efforts.
Continuing Cyber Threat Landscape
ESET observed a third attack chain during June 5 and 6, 2025. For this attack, they leveraged a PowerShell downloader, PteroPaste, to install Kazuar v2. This is the latest example of a dangerous new pattern. These malware families are now being operated in tandem with Turla’s malware capabilities to enhance their operational effectiveness.
ESET noticed the deployment of Kazuar v2 in April and June of 2025. In particular, they pointed out its use co-infection with other Gamaredon malware families like PteroOdd and PteroPaste. This pattern shows us that both sides are following a smart tactic. That is, they are increasing and diversifying their attack methodologies without fully losing the core multi-functionality of their malware tools.