CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Gamaredon and Turla Collaboration to Deploy Kazuar Backdoor in Ukraine

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Russian hacking groups Gamaredon and Turla have been collaborating to target Ukrainian entities. The groups used Gamaredon tools to deploy Turla's Kazuar backdoor on multiple endpoints in Ukraine. The collaboration likely began in early 2025, with evidence of coordinated activities in February, April, and June. The attacks primarily focused on the Ukrainian defense sector. The collaboration involves Gamaredon using tools like PteroGraphin and PteroOdd to execute the Kazuar backdoor. The Kazuar backdoor is a .NET-based malware that has been in use since at least 2016 and has undergone multiple updates, with the latest version (Kazuar v3) introduced in February 2025. The initial access vector used by Gamaredon is not clear, but the group has a history of using spear-phishing and malicious LNK files. The collaboration between Gamaredon and Turla is assessed to be driven by Russia's full-scale invasion of Ukraine in 2022.

Timeline

  1. 19.09.2025 11:24 1 articles · 13d ago

    Gamaredon and Turla Collaboration to Deploy Kazuar Backdoor in Ukraine

    In February 2025, Gamaredon tools PteroGraphin and PteroOdd were used to execute Turla's Kazuar backdoor on an endpoint in Ukraine. In April and June 2025, Kazuar v2 was deployed through PteroOdd and PteroPaste. The collaboration is assessed to be driven by Russia's full-scale invasion of Ukraine in 2022, with a focus on the Ukrainian defense sector. The Kazuar backdoor is a .NET-based malware that has been in use since at least 2016 and has undergone multiple updates, with the latest version (Kazuar v3) introduced in February 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure

Iranian state-sponsored or affiliated cyber threat actors are actively targeting U.S. critical infrastructure and conducting global phishing campaigns against diplomatic entities. These actors exploit known vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices with weak passwords, and collaborate with ransomware groups to encrypt, steal, and leak sensitive information. A recent coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign, attributed to Iranian-aligned operators connected to Homeland Justice, involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive. In addition, Iranian state-sponsored threat actors, known as Subtle Snail, have conducted a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations. This group, also known as UNC1549, operates by posing as HR representatives from legitimate entities to engage employees and then compromises them through the deployment of a MINIBIKE backdoor variant. The targeted companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States. The group's primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes. The attacks involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim, using job-themed lures and spear-phishing emails to validate email addresses and collect additional information. The malware used in the campaign includes a web browser stealer that incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google. MINIBIKE is a fully-featured, modular backdoor with support for 12 distinct commands to facilitate C2 communication, allowing it to enumerate files and directories, list running processes, terminate specific ones, upload files in chunks, and run various payloads. The malware makes Windows Registry modifications such that it's automatically loaded after system startup and features anti-debugging and anti-sandbox techniques to hinder analysis. The group uses predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control, as well as hunting for confidential files stored in shared folders. Furthermore, the Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. Nimbus Manticore has been active since at least 2022, targeting aerospace and defense sectors in Israel and the Middle East, and is associated with the Iranian Revolutionary Guard Corps (IRGC). There is currently no indication of a coordinated campaign specifically targeting U.S. critical infrastructure, but U.S. agencies are urging vigilance and proactive defense measures.

Open in new tab