Particle.news
Download on the App Store
6 ARTICLES
·
54m ago

ESET Reveals Technical Link Between Russia’s Gamaredon and Turla Targeting Ukraine

The analysis outlines a division of labor in which Gamaredon’s mass compromises pave the way for Turla’s selective Kazuar espionage.

Image
Russia attack on Ukraine
Image
Image

Overview

  • In February 2025, Gamaredon’s PteroGraphin and PteroOdd were observed restarting Turla’s Kazuar v3 on a Ukrainian endpoint.
  • In April and June 2025, Gamaredon tools PteroOdd and PteroPaste deployed Kazuar v2 installers on additional machines in Ukraine.
  • ESET documented an attack chain that retrieved payloads via Telegraph and exfiltrated host identifiers to a Cloudflare Workers subdomain before launching Kazuar.
  • Telemetry shows Turla on seven Ukrainian machines over the past 18 months, contrasting with Gamaredon’s compromises across hundreds or thousands of systems.
  • The report provides the first technical linkage between FSB Center 18–associated Gamaredon and Center 16–linked Turla in coordinated operations.