Russian Hacking Groups Gamaredon and Turla Attacking Organizations to Deploy Kazuar Backdoor

In early 2025, cybersecurity researchers observed an unprecedented collaboration between two Russian APT groups targeting Ukrainian organizations.

Historically, Gamaredon has focused on broad spear-phishing campaigns against government and critical infrastructure, while Turla has specialized in high-value cyberespionage using sophisticated implants.

Their joint operations mark a significant escalation: Gamaredon gains initial access using its established toolkit, then Turla deploys its advanced Kazuar backdoor to maintain stealthy long-term presence.

This alliance leverages Gamaredon’s noisy compromise methods to deliver Turla’s modular espionage implant on carefully selected machines, suggesting a strategic alignment within the FSB’s internal cyber-intelligence apparatus.

Emerging primarily through malicious LNK files and spear-phishing emails delivered via removable media, the attack chain begins with Gamaredon’s PteroGraphin downloader.

Once on a victim system, PteroGraphin retrieves additional payloads through encrypted Telegra.ph channels. On February 27, 2025, PteroGraphin, residing at %APPDATA%86.ps1, fetched and decrypted a second-stage downloader, PteroOdd, using a hardcoded 3DES key.

PteroOdd then retrieved and executed Kazuar v3 in memory by side-loading into legitimate processes, effectively evading conventional defenses.

Welivesecurity analysts noted this dual-stage delivery mechanism was critical in restarting and deploying Kazuar implants after initial crashes or installation of endpoint security products.

The seamless handoff between Gamaredon tools and Turla’s backdoor illustrates an evolution in Russian APT tactics, where inter-group cooperation amplifies impact while limiting detection.

Despite Gamaredon’s hundreds of noisy intrusions, Turla selectively installs Kazuar only on machines deemed highly valuable.

This precision targeting reduces the implant’s exposure and minimizes forensic footprints.

Once deployed, Kazuar v3 establishes encrypted command-and-control channels over WebSockets and Exchange Web Services, supporting three distinct roles—KERNEL, BRIDGE, and WORKER—to modularize functionality and maintain resilience against takedown attempts.

Infection Mechanism Deep Dive

The infection mechanism of Kazuar centers on sophisticated PowerShell loaders and side-loading techniques that exploit legitimate Windows processes. After PteroOdd retrieves the base64-encoded PowerShell payload, it executes a command similar to:-

Start-Process -FilePath "C:Program FilesSomeAppvncutil64[.]exe" -ArgumentList "- EncodedCommand","[base64-encoded Kazuar loader]"

This approach masks the backdoor as part of a trusted application, preventing signature-based detection.

The loader writes a DLL named LaunchGFExperienceLOC[.]dll alongside LaunchGFExperience[.]exe, initiating Kazuar’s launch through DLL side-loading.

In memory, two distinct KERNEL payloads appear, labeled AGN-RR-01 and AGN-XX-01, indicating redundant execution paths that enhance implant robustness.

Once active, Kazuar collects system metadata—computer name, volume serial number, running processes—and exfiltrates these via a Cloudflare Workers subdomain under Turla’s control.

Subsequent HTTP POSTs confirm successful implant launch and provide bridge nodes with adaptive payloads. By leveraging dynamic loader scripts and dual-payload execution chains, Turla ensures continuous access even if one delivery path fails or is detected.

This infection mechanism underscores the sophistication of modern APT alliances: combining Gamaredon’s wide reach with Turla’s stealth backdoor yields a versatile espionage capability capable of infiltrating high-value targets while minimizing detection risk.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.