Recent research by ESET has uncovered evidence of unprecedented collaboration between two Russian state-linked cyberespionage groups: Gamaredon and Turla.
Both are associated with Russia’s Federal Security Service (FSB) but have traditionally operated independently. Their cooperation in targeting high-profile organizations in Ukraine represents a significant escalation in state-sponsored hacking, with implications for global cybersecurity.
Background on the Threat Groups
Gamaredon, active since at least 2013, has primarily focused on Ukrainian governmental institutions. Known for its high-volume, opportunistic campaigns, Gamaredon often relies on spear-phishing and malicious LNK files on removable drives to gain access.
Turla—also known as Snake—is a veteran espionage collective operating since at least 2004, possibly earlier. It is infamous for precision attacks on governments and diplomatic entities across Europe, Central Asia, and the Middle East, and for breaches such as the 2008 compromise of the US Department of Defense and the attack on Swiss defense firm RUAG.
Evidence of collaboration
ESET’s 2025 findings show technical links between the groups.
Turla’s Kazuar backdoor was executed via Gamaredon’s tools — PteroGraphin and PteroOdd — on Ukrainian systems. Notably, PteroGraphin appeared to restart the Kazuar v3 backdoor, likely as a recovery method after a crash or failed launch.
Kazuar, an advanced C# espionage implant, is believed to be used exclusively by Turla. Its features include extensive command support for credential theft, file manipulation, and system reconnaissance. The integration of this toolset with Gamaredon’s access operations is the first technical evidence tying the two groups together.
Strategic implications
This partnership blends complementary strengths: Gamaredon’s large-scale intrusions and Turla’s sophisticated tradecraft. While Gamaredon compromises hundreds or thousands of Ukrainian machines, Turla appears to focus on a small subset of systems likely containing highly sensitive intelligence.
The convergence likely reflects operational needs arising from Russia’s 2022 full-scale invasion of Ukraine. Analysts suggest that Ukraine has become a testing ground for Moscow’s advanced cyber tactics, with successful techniques later deployed elsewhere.
By combining persistence with elite capability, the FSB gains a mechanism to infiltrate critical networks more efficiently.
Global security considerations
The Gamaredon–Turla cooperation underscores a shift in state-sponsored cyber operations.
It shows that boundaries between elite and mass-scale espionage teams are thinning, allowing intelligence services to pair specialized implants with high-volume infection campaigns. Such integration can magnify risk for governments, defense contractors, and other high-value organizations worldwide.
Organizations should adopt layered defenses that include:
- Supply-chain mapping
- Privileged-access limits
- Remote-session logging, and continuous auditing
These measures help mitigate the kind of initial access that Gamaredon provides and the stealthy exploitation that Turla conducts.
The discovery of cooperation between Gamaredon and Turla marks a new phase in Russian cyber strategy. By merging relentless intrusion activity with advanced espionage tooling, these FSB units have created a threat that is both broad and deep.
As geopolitical tensions persist, defenders must prepare for state actors that combine scale, sophistication, and strategic intent in their operations.