LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine
ESET researchers presented evidence of a 2025 espionage alliance between Russian state-aligned actors Gamaredon and Turla targeting Ukraine. Gamaredon utilized its lightweight custom tooling, including PteroGraphin and PteroOdd, to deploy Turla's Kazuar backdoor and maintain persistence for Turla's advanced espionage operations.
Authors:
Detection / HunterGoogle
What Happened
Between February and June 2025, two major Russian cyberespionage groups, Gamaredon and Turla, teamed up to target Ukrainian military and government organizations. Gamaredon used its fast-paced phishing attacks to break into systems and then handed over access to Turla, who deployed a more advanced spying tool called Kazuar. This collaboration shows how these groups divide labor to maintain access to highly sensitive networks. Organizations, especially those in targeted regions, should ensure robust defenses against phishing and monitor for signs of these specific threat groups.
Key Takeaways
- Gamaredon actively facilitated Turla's access to high-value Ukrainian targets between February and June 2025.
- Gamaredon tooling, specifically PteroGraphin and PteroOdd, was utilized to deploy Turla's Kazuar backdoor.
- Gamaredon demonstrated the ability to restore Turla's access after the group lost its initial foothold.
- The collaboration highlights a division of labor in Russian cyberespionage, with Gamaredon handling access and Turla deploying advanced espionage platforms.
Affected Systems
- Ukrainian military organizations
- Ukrainian government organizations
Attack Chain
Gamaredon initiates the attack chain using relentless spearphishing to gain initial access to target networks. Once a foothold is established, Gamaredon utilizes custom lightweight tooling such as PteroGraphin and PteroOdd. These tools are then used to deploy Turla's Kazuar backdoor (v2 and v3) onto the compromised systems. Gamaredon also acts to restore access if Turla's foothold is lost, enabling Turla to conduct downstream post-compromise espionage objectives.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article text.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions can detect the execution of Gamaredon's lightweight tools and Turla's Kazuar backdoor if appropriate behavioral heuristics or signatures are in place, though specific IOCs are not provided in the text. Network Visibility: Medium — Network monitoring could identify C2 communications from the Kazuar backdoor or initial payload downloads, provided the infrastructure is known. Detection Difficulty: Hard — The collaboration between two sophisticated APT groups using custom tooling (PteroGraphin, PteroOdd, Kazuar) and rapid operational tempos makes detection challenging without specific threat intelligence.
Required Log Sources
- Email Gateway Logs
- Process Creation Logs
- Network Traffic Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for spearphishing emails leading to the execution of unknown lightweight binaries that subsequently download secondary payloads associated with advanced backdoors. | Email Gateway Logs, Process Creation Logs, Network Traffic Logs | Initial Access / Execution | Medium |
Control Gaps
- Email filtering for advanced, targeted spearphishing campaigns
- Behavioral monitoring for hand-offs between distinct malware families
Key Behavioral Indicators
- Execution of PteroGraphin or PteroOdd binaries
- Deployment of Kazuar backdoor v2 or v3
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether current threat intelligence feeds include the latest indicators for Gamaredon (PteroGraphin, PteroOdd) and Turla (Kazuar).
Infrastructure Hardening
- Consider implementing strict network segmentation to limit lateral movement if initial access is achieved by threat actors.
- Evaluate whether email filtering solutions are optimized to detect advanced spearphishing campaigns.
User Protection
- If supported by your tooling, ensure EDR is deployed and configured to detect known Gamaredon and Turla behaviors.
- Consider enforcing multi-factor authentication (MFA) across all critical access points.
Security Awareness
- Consider rolling targeted spearphishing awareness training into existing employee education programs, especially for high-value targets in government or military sectors.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1105 - Ingress Tool Transfer
