Kremlin's largest hacker groups - Turla and Gamaredon - cooperate in cyberattacks on Ukraine

According to ESET researchers, two of Russia's most active hacker groups, Turla and Gamaredon, have recently been spotted conducting joint operations aimed at compromising devices in Ukraine. Both groups are linked to Russia's Federal Security Service (FSB), although they belong to different centres.

Turla is one of the most sophisticated APT groups in the world, known for its highly targeted attacks on high-profile targets, including the US Department of Defence (2008), the German Foreign Ministry and the French military. It uses stealthy Linux malware and even tunnelling traffic through satellite internet connections to disguise its activity.

Gamaredon, on the other hand, operates on a large scale, often attacking Ukrainian organisations en masse. Its tools are less sophisticated, but quickly collect large amounts of data. The group does not hide its ties to the Russian authorities and does not try to hide the traces of its activities.

According to ESET, in recent months, malware from both groups has been detected on several devices simultaneously, indicating technical interaction. In particular, Turla used Gamaredon's tools to relaunch its own Kazuar malware and deploy a new version of Kazuar v2. This is the first time researchers have been able to technically link the two groups.

ESET is also considering an alternative version - Turla could have intercepted Gamaredon's infrastructure, as it did in 2019 with the Iranian APT group. However, the main hypothesis is a joint operation, where Gamaredon provides mass infections and Turla selectively works with the most valuable targets.

In February, April, and June 2025, ESET recorded at least four cases of joint infection. Gamaredon used the PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin toolkit, while Turla used Kazuar v3. In all cases, the ESET software was installed after the infection, so it was not possible to identify the payload of the Turla tool. In some cases, Turla issued commands through Gamaredon implants, confirming deep integration.

According to ESET, this cooperation indicates coordination between FSB units, with Gamaredon providing access to a large number of machines and Turla focusing on those containing particularly sensitive information.