In a surprising new twist on the cybersecurity landscape, two of the most famous Russian hacking groups, Gamaredon and Turla, have joined forces. Combined, they’re using the Kazuar backdoor to attack targets in Ukraine. Both organizations are thought to be connected to the Russian Federal Security Service (FSB). Unsurprisingly, they are now actively targeting Ukrainian government organizations as the geopolitical tensions continue to escalate between Russia and Ukraine. This pro-Kremlin collaboration is a troubling new step in the use of cyber warfare as a tactic, particularly in a region that has been facing heightened security threats.
Urvis, also known as Secret Blizzard and Venomous Bear, is a high-profile cyber espionage campaign actor. Their multi-year work in the international arena mostly targets governments and diplomatic entities across Europe, Central Asia, and the Middle East. The group is well known for its use of advanced malware, with Kazuar serving as the group’s go-to implant. Kazuar is a new, rapidly updated variant of this type of malware. It’s for the first time used Amadey bots to install a backdoor dubbed Tavdig.
Gamaredon runs operations consistently under the same aliases such as Aqua Blizzard and Armageddon. Gamaredon, like Turla, is known to have some connection with the FSB. This group is known for using spear-phishing methods and malicious LNK files on removable drives as vectors to deploy their attacks. Gamaredon has, in one of their more inventive twists, exploited services such as PteroGraphin to retrieve a PowerShell downloader dubbed PteroOdd. This downloader then downloaded a payload from Telegraph to run Kazuar.
Recent Cyber Activity in Ukraine
Over the past year and a half, Turla indicators have appeared on seven computers inside Ukraine. Alarmingly, four of these systems fell prey to Gamaredon by January 2025. Kazuar v3 The most recent variant of Kazuar, known as Kazuar v3, was released in late February 2025.
In the perspective of ESET researchers, the cooperation between these two hacking collectives constitutes a greater risk to Ukraine’s cybersecurity. Specifically, they stated, “We now believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla.” Yet, this revelation highlights how far their coordinated efforts must be taken to target the worst of Ukrainian targets.
In March 2025, ESET was alerted to a second occurrence of PteroOdd on another machine in Ukraine, this one found to have Kazuar on it. The ongoing development of these cyber threats underlines the need for extensive cybersecurity investments in impacted areas.
Techniques and Tools Employed
The innovative technological strategies used by both Gamaredon and Turla is a testament to the sophistication level of these advanced persistent threats. Gamaredon’s spear-phishing strategy has proven highly successful in achieving initial access to targeted networks. They frequently use malicious LNK files mounted on removable drives. This cunning tactic enables them to gain access to sensitive systems.
Turla’s reliance on Kazuar further shows their priorities of keeping access once initial compromise has happened. This malware’s flexibility through constant updates gives Turla the advantage of being able to keep a step ahead of detection attempts. A recent research blog from ESET researchers indicated that PteroGraphin reactivated the Kazuar v3 backdoor. This would have triggered right after the backdoor either crashed or didn’t start on bootup. Their ability to recover and regroup only highlights the resiliency of their attack techniques.
ESET observed that Turla probably utilized PteroGraphin as a persistence mechanism. Specifically, this emphasizes the threat actor’s tactical approach to maintaining and preserving their malware environment.
Implications for Cybersecurity
The partnership between Gamaredon and Turla is a chilling sign of the times, both for cybersecurity analysts tracking threats on the Eastern side of Europe. The combination of methods from both camps shows an emerging tactical alliance in the combined purpose of inflicting optimal damage on Ukrainian targets.
As this dangerous threat landscape morphs, knowing how these criminal organizations are operating will be key to building better defenses against them. The outcomes of this collaboration go further than short-term cybersecurity issues. They imply a long-term play tied to a shared political agenda.