Gamaredon and Turla coordinated Ukraine compromise campaign
Campaign
Summary
Hide ▲
Show ▼
The Gamaredon-Turla collaboration has been tied to a multi-stage campaign against Ukrainian entities, expanding Russian access inside the country. In February, April, and June 2025, the groups used PteroGraphin, PteroOdd, and PteroPaste to deliver Kazuar v2/v3. The activity affected multiple Ukrainian machines, including systems in the defense sector, and suggests Gamaredon is serving as the initial-access partner for Turla. The operation matters because it combines two FSB-linked groups into a shared access-and-payload pipeline that can sustain repeated compromises.
Related Happenings
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
How related:
ESET said it observed the Gamaredon tools PteroGraphin and PteroOdd being used to execute Turla group's Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla is very likely actively collaborating with Gamaredon to gain access to specific machines in Ukraine and deliver the Kazuar backdoor.
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityHow related: ESET said it observed the Gamaredon tools PteroGraphin and PteroOdd being used to execute Turla group's Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla is very likely actively collaborating with Gamaredon to gain access to specific machines in Ukraine and deliver the Kazuar backdoor.
About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
Mongolian governmental institution hit by network compromise
Incident
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...
Mongolian governmental institution hit by network compromise
IncidentAbout this happening: A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...
Timeline
-
19.09.2025 11:24 1 articles · 8mo ago
Gamaredon tools execute Turla's Kazuar on a Ukrainian endpoint
Exploitation ObservedESET observed Gamaredon tools PteroGraphin and PteroOdd being used to execute Turla's Kazuar backdoor on an endpoint in Ukraine, and said Kazuar v3 was present on the system since February 11, 2025.
Show sources
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine — thehackernews.com — 19.09.2025 11:24
-
19.09.2025 11:24 2 articles · 8mo ago
ESET attributes Gamaredon-Turla cooperation and initial access sharing
Attribution UpdateESET said with high confidence that Gamaredon and Turla are cooperating, that Gamaredon is providing initial access to Turla, and that the campaign has targeted Ukrainian entities with recent focus on the Ukrainian defense sector.
Show sources
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine — thehackernews.com — 19.09.2025 11:24
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine — thehackernews.com — 19.09.2025 11:24