Gamaredon Assisted Turla Intrusions Against Ukrainian Government and Military Targets
Researchers presented evidence that Gamaredon directly supported Turla operations against high-value Ukrainian organizations, including military and government entities, during incidents observed from February through June 2025. According to the findings, Gamaredon used its own tooling—such as PteroGraphin and PteroOdd—to deploy Turla’s Kazuar backdoor on victim systems, indicating a coordinated intrusion workflow rather than parallel activity by separate actors.
The investigation also found at least one case in which Gamaredon helped restore Turla’s access after the latter had apparently lost its foothold, reinforcing the assessment of active operational collaboration between the two Russian state-aligned espionage groups. The reported division of labor had Gamaredon handling spearphishing, rapid access, and persistence, while Turla leveraged the more advanced Kazuar v2 and v3 implants to conduct sustained espionage inside contested Ukrainian networks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ESET presents Gamaredon-Turla collaboration evidence at LABScon 2025
At LABScon 2025, ESET researchers Matthieu Faou and Zoltán Rusnák presented technical evidence that Gamaredon and Turla directly collaborated in 2025 operations targeting Ukraine. The presentation described a division of labor in which Gamaredon established or maintained access and Turla deployed the Kazuar espionage platform.
Gamaredon facilitates Turla access in Ukrainian incidents
ESET researchers observed incidents from February to June 2025 in which Gamaredon actively facilitated Turla’s access to high-value Ukrainian targets. Their analysis found Gamaredon tooling such as PteroGraphin and PteroOdd was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after it had lost its foothold.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine - Malware Analysis - Malware Analysis, News and Indicators
malware.news
Open sourceLABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine | SentinelOne
sentinelone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gamaredon Expanded Ukraine Espionage With New PowerShell Tools and Cloud-Hidden C2
Russia-aligned **Gamaredon** significantly upgraded its cyberespionage operations against Ukrainian government and military organizations during 2025, according to ESET. The group ran **35 spear-phishing campaigns**, introduced **six new PowerShell-based tools**, revived the VBScript weaponizer **PteroSetup**, and exploited **`CVE-2025-8088`** in WinRAR to establish persistence through malicious HTA downloaders placed in Startup folders. ESET said Gamaredon also expanded lateral movement and USB-based propagation, with the newly documented **PteroPaste** able to copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut. The group increasingly concealed command-and-control and data theft behind legitimate services, using **Cloudflare Workers**, **Microsoft dev tunnels**, **Loophole**, DDNS providers, messaging and blogging platforms, paste sites, and cloud storage to mask malicious traffic and stage payloads. Newer malware variants retrieved encrypted C2 data from dead-drop locations such as **Telegram**, **Dropbox**, **GoFile**, and **Mastodon**, while upgraded stealers including **PteroPSDoor** and **PteroVDoor** exfiltrated stolen files to S3-compatible storage such as **Wasabi**, **Tebi**, and **Intercolo**. ESET also observed Gamaredon collaborating with **Turla** in early 2025, providing initial access that supported deployment of the **Kazuar** framework.
Jun 29, 2026
Gamaredon Ran Large-Scale Espionage Campaigns Using Crimeware-Style Delivery
Cisco Talos reported that the **Gamaredon** threat group conducted at least four campaigns from 2020 onward, combining nation-state espionage objectives with high-volume, crimeware-like delivery methods. The operations used **template injection**, trojanized installers, self-extracting archives, spam, and scripts including **VBS**, **VBA**, and batch files to gain initial access and profile victims before selectively deploying second-stage payloads. Talos said the group operated more than **600 first-stage C2 domains** and over **330 IP addresses across 16 countries**, with infrastructure heavily concentrated in Russia. The campaigns showed a strong focus on **Ukrainian targets**, including Russian-language lures themed around Ukrainian government entities, while also reaching organizations outside Ukraine such as a major African bank, U.S. educational institutions, and European telecommunications and hosting providers. Talos highlighted examples including a trojanized **Zoom** installer, an unusually large **68 MB VBS** file likely designed to evade sandbox analysis, and a long-running operation that excluded more than **1,700 IP addresses in 43 countries** from infection. Researchers assessed Gamaredon as a prolific, noisy, likely second-tier APT focused on espionage and information collection rather than direct monetization.
Jun 29, 2026
Turla Deploys STOCKSTAY Backdoor Against Ukrainian and Foreign Policy Targets
Google Threat Intelligence Group reported that the Russia-linked **Turla** espionage group has been using a multi-component `.NET` backdoor called **STOCKSTAY** since at least December 2022 to target Ukrainian government and military organizations, as well as entities involved in Italian foreign policy. The malware supports command execution, file theft, registry changes, screen capture, and host reconnaissance, and uses separate modules for orchestration and WebSocket-based command-and-control tunneling. Researchers said STOCKSTAY shares architectural and code similarities with Turla’s **KAZUAR** toolkit, including the `K1MORPHER` obfuscation mechanism and environmental keying, indicating the tool is part of Turla’s broader intelligence-gathering arsenal. The campaign used multiple delivery methods, including malicious **RDP** files, **HTA** files, **MSI** installers, and exploitation of WinRAR path traversal flaw `CVE-2025-8088`, often paired with academic, diplomatic, or military-themed lures. Google also observed Turla relying on compromised Ukrainian infrastructure, GitHub repositories, and cloud hosting services such as **Render** and **Glitch** to stage payloads and run command-and-control infrastructure. The company assessed that STOCKSTAY remains under active development alongside KAZUAR and is used both for initial access and as a persistence or fallback capability during espionage operations.
Jun 29, 2026