MUST READ

ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 63

 | 

Security Affairs newsletter Round 542 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

A cyberattack on Collins Aerospace disrupted operations at major European airports

 | 

Fortra addressed a maximum severity flaw in GoAnywhere MFT software

 | 

UK police arrested two teen Scattered Spider members linked to the 2024 attack on Transport for London

 | 

ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT

 | 

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 

Cybercrime group accessed Google Law Enforcement Request System (LERS)

 | 

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

 | 

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

 | 

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

 | 

Fairmont Federal Credit Union 2023 data breach impacted 187K people

 | 

ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

Pierluigi Paganini September 21, 2025

ESET found evidence that Russia-linked groups Gamaredon and Turla collaborated in cyberattacks on Ukraine between February and April 2025.

ESET reported Russia-linked groups Gamaredon and Turla collaborated in cyberattacks against entities in Ukraine.

The Russia-linked APT group Gamaredon (a.k.a. Shuckworm, ArmageddonPrimitive BearACTINIUMCallisto) is known for targeting government, law enforcement, and defense organizations in Ukraine since 2013.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTONhas been active since at least 2004, targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

Turla comes from FSB’s Center 16, the successor of the KGB’s 16th Directorate focused on foreign intelligence, while Gamaredon links to Center 18, rooted in the KGB’s 2nd Directorate for internal security. These units often worked together in the past, and their roles still overlap today, especially in Ukraine. While Russian agencies compete fiercely, groups within the same service often cooperate—like Turla and Gamaredon now.

According to ESET researchers, Russian state-backed groups Gamaredon and Turla teamed up in cyberattacks on Ukraine between February and April 2025. Gamaredon deployed its own tools to restart systems and then launched Turla malware on select Ukrainian targets. This rare collaboration shows how different threat actors can coordinate to maximize impact, increasing the sophistication and persistence of attacks against critical Ukrainian systems during a tense geopolitical climate.

In early 2025, ESET spotted four co-compromises in Ukraine where the APT group Gamaredon deployed multiple tools like PteroLNK and PteroGraphin, while Turla installed Kazuar malware. On one system, Turla even used Gamaredon’s implant to restart Kazuar, proving the active collaboration between the two cyberespionage groups. Later, Gamaredon deployed Kazuar v2 directly, confirming Turla’s reliance on Gamaredon to access key Ukrainian targets. The experts pointed out that this marks the first technical link between the two groups.

“In February 2025, via ESET telemetry, we detected four different Gamaredon-Turla co-compromises in Ukraine.” reads the report published by ESET. “On those machines, Gamaredon deployed a wide range of tools, including PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, while Turla only deployed Kazuar v3.”

Over the last 18 months, the researchers tracked Turla on seven Ukrainian machines. Gamaredon first breached four of them in January 2025, then Turla deployed Kazuar v3 during the following month. The last Turla case before this dated back to February 2024. While Gamaredon floods Ukraine with infections, the second APT cherry-picks only the most valuable systems, likely those holding sensitive intelligence, confirming its focus on high-value espionage targets.

Both APT groups tied to Russia’s FSB appear to be collaborating in Ukraine. Gamaredon has a history of sharing access with other actors like InvisiMole, while Turla often hijacks others’ infrastructure, as seen with OilRig in 2019, Andromeda in 2023, and Amadey in 2024. Analysts believe the most likely scenario is that Gamaredon handed Turla access to select machines, enabling Kazuar operations. Less likely, Turla hijacked Gamaredon’s tools or Gamaredon secretly used Kazuar itself.

Below are the three hypotheses to explain ESET’s observations:

Unlikely: Gamaredon has access to Kazuar and deploys it on very specific machines. Given Gamaredon’s noisy approach, we don’t think it would be that careful deploying Kazuar on only a very limited set of victims. Very likely: Given that both groups are part of the Russian FSB (though in two different Centers), Gamaredon provided access to Turla operators so that they could issue commands on a specific machine to restart Kazuar, and deploy Kazuar v2 on some others.” continues the report.

“Unlikely: Turla compromised Gamaredon infrastructure and leveraged this access to recover access on a machine in Ukraine. Since PteroGraphin contains a hardcoded token that allows modifying the C&C pages, this possibility cannot be fully discarded. However, it implies that Turla was able to reproduce the full Gamaredon chain.”

Gamaredon’s initial access method remains unclear, but researchers remark that the group often relies on spear-phishing and malicious LNK files on removable drives, spread via tools like PteroLNK.

ESET released indicators of compromise (IoCs) and samples for the attacks it has investigated.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

Gamaredon Hacking information security news Intelligence IT Information Security Pierluigi Paganini Security Affairs Security News Turla

you might also like

Pierluigi Paganini September 21, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 63
Read more
Pierluigi Paganini September 20, 2025
CISA warns of malware deployed through Ivanti EPMM flaws
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

APT / September 21, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 63

Malware / September 21, 2025

Security Affairs newsletter Round 542 by Pierluigi Paganini – INTERNATIONAL EDITION

Breaking News / September 21, 2025

A cyberattack on Collins Aerospace disrupted operations at major European airports

Hacking / September 20, 2025

Fortra addressed a maximum severity flaw in GoAnywhere MFT software

Security / September 19, 2025