Gamaredon and Turla, two Russian hacking groups, are working together to target and co-compete with Ukrainian entities. Both organizations are thought to be connected to the Russian Federal Security Service (FSB). Kazuar, a malware that is regularly updated and has previously used Amadey bots to install a backdoor known as Tavdig, is one of Turla's main implants.

Cybersecurity firm ESET reports that over the past 18 months, Turla-related indicators have been found on seven machines in Ukraine, four of which were compromised by Gamaredon in January

2025.

Around the end of February 2025, the most recent version of KazUar (Kazuar v3) is reported to have been deployed. Gamared deployed PteroGraphin as part of the attack chain, which then downloaded PteriOdd, a PowerShell downloader that retrieved a payload from Telegraph. On June 5 and 6, 2025, ESET claims to have discovered a third attack chain.

It saw that Kazuar v2 was dropped and installed using a PowerShell downloader known as PteroPaste. "We now believe with high confidence that both groups – separately associated with the FSB – are cooperating," ESET stated on Thursday in a blog post. According to the company, the use of the name "ekrn" may be an attempt by threat actors to pass for a genuine binary connected to ESET endpoint security products.

Given that Turla's KazUar is based on.NET and Gamaredon's toolset is free of.NET malware, ESET determined with medium confidence that this data collection step is probably intended for Turla. The second set of attacks was discovered in the middle of April 2025 when another Powershell downloader known as PteriOdd was dropped using PterOOdd.