Turla x Gamaredon: First Documented Collaboration Targets High-Value Machines in Ukraine

Introduction

Russian state-linked threat actors Turla (also known as Snake) and Gamaredon appear to be teaming up in Ukraine, blending Gamaredon’s noisy initial access techniques with Turla’s precision espionage tooling. Researchers at ESET recently observed four machines that were compromised by both groups this year. They even saw Gamaredon implants being used to restart Turla’s Kazuar backdoor. This marks the first technical linkage between these two Russian threat actors in the Ukrainian theatre.

Why this matters

Turla traditionally keeps its victim counts low and carefully curated, while Gamaredon casts a wide net against Ukrainian government and defence entities. The fact that Turla has been spotted using Gamaredon infrastructure to cherry pick high value hosts suggests that the two teams are sharing resources or working in tandem. For defenders it means that quiet and noisy actors may be chained together to gain a deeper foothold and prolong their presence.

What was observed

During the investigation ESET analysts found four computers infected by both groups in early 2025. On those systems, Gamaredon’s suite of Ptero family loaders, including PteroLNK, PteroStew and PteroGraphin, ran alongside Turla’s Kazuar backdoor. On one machine Turla operators even issued a command through a PteroGraphin implant to restart Kazuar, confirming that the two crews were coordinating rather than simply cohabiting the same hosts.

Likely tradecraft

• Initial access: spearphishing attachments and removable-media LNK shortcuts deliver Gamaredon loaders.
• Execution and persistence: Gamaredon’s Ptero loaders drop and run Turla’s Kazuar implant, which retains persistence via scheduled tasks and registry autostarts.
• Command & control: Each group uses its own command channels, with Gamaredon’s infrastructure providing a bridge for Turla to operate quietly.

Impact

• Turla’s access to high-value systems via Gamaredon infrastructure increases the likelihood of data theft and prolonged espionage in Ukrainian institutions.
• If quiet and noisy teams are chaining their operations, defenders may face overlapping techniques that complicate attribution and detection.

What to do now

• Block LNK files from removable media and restrict the use of USB drives within critical networks.
• Proactively hunt for Gamaredon Ptero-family artifacts and Turla Kazuar IOCs; any overlap should trigger a full incident response.
• Segment networks and tune endpoint detection tools to look for long dwell-time stealthy implants such as Kazuar.
• Sources: ESET WeLiveSecurity (https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/), The Record (://therecord.media/russian-spy-groups-turla-gamaredon-target-ukraine)