Silhouetted hooded figures represent Russian hackers operating under the auspices of the FSB against targeted organizations.
Two prominent Russian state-sponsored hacking groups, Gamaredon and Turla, have been observed collaborating in sophisticated cyberattacks targeting Ukrainian organizations to deploy the advanced Kazuar backdoor.
New evidence reveals an unprecedented level of coordination between these Federal Security Service (FSB) affiliated threat actors, marking a significant evolution in Russian cyber espionage operations.
Map of territorial control in Ukraine as of March 23, 2023, showing Russian and Ukrainian controlled areas amid the ongoing conflict
Security researchers have documented the first technical evidence linking Gamaredon and Turla operations through shared infrastructure and coordinated deployment of the Kazuar malware family.
This collaboration represents a strategic alliance between two distinct FSB centers – with Gamaredon operated by Center 18 (Information Security) in occupied Crimea and Turla attributed to Center 16 (signals intelligence).
The partnership demonstrates how Russian intelligence agencies are leveraging their respective strengths: Gamaredon’s extensive access network and Turla’s sophisticated espionage capabilities.
Between February and June 2025, researchers identified multiple instances where Gamaredon’s initial access tools were used to deploy Turla’s Kazuar backdoor on high-value targets in Ukraine.
Gamaredon, active since 2013, has consistently targeted Ukrainian governmental institutions with over 5,000 documented cyberattacks.
The group operates from occupied Crimea under FSB Center 18 direction, focusing on widespread compromise operations across Ukrainian infrastructure.
Their tools include PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin – custom malware designed for initial access and persistence.
Advanced Kazuar Backdoor Deployment
Organizational chart of the Russian Federal Security Service (FSB) showing key centers and their known aliases related to cyber operations and intelligence.
On February 27th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-27?return_content=true.
Turla, also known as Snake, represents one of the most sophisticated cyber espionage groups globally, operating since at least 2004 with suspected FSB Center 16 connections.
The group has previously breached major targets including the US Department of Defense and Swiss defense company RUAG. Their latest weapon, Kazuar version 3, represents a significant advancement in C# espionage implant technology.
The collaboration involves three distinct attack chains documented by security researchers. In the first chain, Gamaredon’s PteroGraphin tool was used to restart Turla’s Kazuar v3 implant, suggesting operational coordination where Gamaredon provides recovery capabilities for Turla operations.
The second and third chains show direct deployment of Kazuar v2 through Gamaredon’s PteroOdd and PteroPaste tools, indicating systematic collaboration.
Kazuar v3 comprises approximately 35% more code than its predecessor and introduces advanced network transport methods including web sockets and Exchange Web Services.
Then, on February 28th, 2025 at 15:17:14 UTC, we detected another similar PowerShell script.
The malware operates through three distinct roles – KERNEL, BRIDGE, and WORKER – with specialized functions distributed across these components for enhanced operational security.
Strategic Targeting and Victimology
Russian intelligence cyber structure showing FSB, SVR, and GRU units and their publicly known associated hacking groups.
The technical evidence includes Gamaredon tools downloading Kazuar installers from command-and-control infrastructure, shared use of Telegra.ph for payload delivery, and coordinated use of compromised WordPress servers as Kazuar communication channels. These indicators demonstrate systematic operational integration rather than coincidental activity.
Analysis of the collaboration reveals selective targeting patterns suggesting Turla’s interest in specific high-value intelligence targets.
While Gamaredon typically compromises hundreds or thousands of machines in broad campaigns, Turla’s selective deployment of Kazuar indicates focus on organizations containing highly sensitive intelligence.
Over 18 months, researchers detected Turla presence on only seven machines in Ukraine, with Gamaredon providing initial compromise in January 2025 followed by Kazuar v3 deployment in February 2025.
This selective approach aligns with Turla’s historical focus on high-profile government and diplomatic targets across Europe, Central Asia, and the Middle East.
The geopolitical context reveals deep historical roots for this collaboration. FSB Centers 16 and 18 trace their lineage to KGB directorates that frequently cooperated during the Soviet era.
The 2022 full-scale invasion of Ukraine has likely reinforced this convergence, with both groups focusing operations on Ukrainian defense sector targets.
This collaboration represents a significant escalation in Russian cyber capabilities, combining Gamaredon’s broad access network with Turla’s advanced espionage tools.
The partnership enables more efficient targeting of high-value intelligence while maintaining operational security through compartmentalized responsibilities. Security organizations worldwide should prepare for continued evolution of this FSB-coordinated cyber threat landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
