Overview

• ESET reports the first technical evidence tying the FSB‑linked groups, assessing with high confidence that Gamaredon provides initial access for Turla operations.
• In February 2025, Gamaredon’s PteroGraphin and PteroOdd executed Turla’s Kazuar v3 on a Ukrainian machine, with PteroGraphin used to restart the implant as a recovery method.
• Additional attack chains in April and June 2025 showed Kazuar v2 delivered via Gamaredon tools including PteroOdd, PteroEffigy and PteroPaste.
• Turla‑related indicators were detected on seven Ukrainian machines over the past 18 months, with four of those previously breached by Gamaredon in January 2025.
• Authorities attribute Gamaredon to FSB Center 18 and Turla to FSB Center 16, and ESET notes recent joint activity concentrated on Ukraine’s defense sector, with Gamaredon commonly using spear‑phishing and malicious LNK files.