Cyber security researchers have given evidence of two Russian hacking groups Gamerdon and Turla evidence together with target and co-complex Ukrainian institutions.
Slovac Cybercity Company ESET stated that it used Gameradon Tools Perpographin and Patrud to execute the Kazuar backdoor of the Turla Group at a closing point in Ukraine in February 2025, showing that Turla is very likely that Turla is very likely to get access to specific machines in Ukraine.
In a report shared with hacker news, ESET said, “Partograph was used to resume the Kazoor V3 backdoor, possibly not launched after crashed or automatically.” “Thus, pterography was probably used as a recover method by Turla.”
In a different example in April and June 2025, ESET also stated that it also detected the deployment of Kazuar V2 through two other gamers’ Malware families, which were tracked as Pteroodd and Pteropaste.
The evaluation of both Gamerdon (aka Aqua Blizard and Armagadon) and Turla (aka Secret Blizard and Venomus Bear) is associated with the Russian Federal Security Service (FSB), and is known for its target attacks that target Ukraine.
“Gamerdon is at least active since 2013. It is responsible for many attacks, mostly against Ukrainian government institutions,” Esset said.
“Turla, also known as a snake, is a notorious cyber espionage group, which has been active since at least 2004, is probably expanding back in the late 1990s. It mainly focuses on high-profile goals, such as government and diplomatic institutions, in the Central Asia and Middle East, it is known to join American departments.”
The cyber security company stated that Russia’s full -scale invasion in 2022 promoted this convergence, which focused on the Ukrainian defense sector mainly in recent months.
One of the staple implants of Turla is Kazuar, often updated malware, which has taken advantage of Amaide bots to first deploy a back door called Tavig, which then leaves the .NET-based tool. Early artifacts associated with malware have been seen as 2016 in Wilde, according to Kaspasky.
On the other hand, Pterographin, Pteroodd, and Pteropaste, are part of the growing arsenal of equipment developed by gameradeon to distribute additional payloads. Pterographin is a PowerShell tool that uses Microsoft Excel Add-INS and scheduled functions as a firm mechanism and uses telegraph API for command-end control (C2). It was first discovered in August 2024.
The accurate initial access vector used by gameredon is not clear, but is a history of using spear-firing and malicious LNK files on a removable drive using devices such as paterolnk for spread in the group.
All of them, in the last 18 months, have revealed the indicators related to Turla on seven machines in Ukraine, four of which were violated by Gamerdon in January 2025. The deployment of the latest version of Kazuar (Kazuar V3) has been asked to be in late February.
“Kazuar V2 and V3 are fundamentally the same malware families and share the same codebase,” Esset said. “Kazuar V3 contains about 35% more C# lines than Kazuar V2 and introduce additional network transport methods: web sockets and exchange on web services.”
The series of attacks included the gameradeon deploying pterography, which was used to download the Powershell downloader, which was dubbed to Pteroodd, which in turn, rebuilt a payload from Telegraph to execute Kazuar. Before launching the Payalode Kazuar, Cloudflair workers are also designed to collect and exfiltrate the Volume serial number of the victim’s computer name and system drive for sub-domains.
It is important to note here that there are suggestions suggesting Kazuar downloaded to Gamerdon, as the backdoor was said to be on the system since February 11, 2025.
In the indication that it was not an isolated phenomenon, ESET revealed that it identified another PteroodD sample on a separate machine in Ukraine in March 2025, on which Kazuar was also present. Malware installed .NET is able to harvest a wide range of information of the system along with a list of versions, and to reach them to an external domain (“eset.ydns”.[.]European Union”).
The fact is that the toolset of Gamerdon lacks any .NET Malware and Tugra’s Kazuar is based in .NET, suggests that this move to collect data is possible for Turla, the company assessed with moderate confidence.
The second set of attacks was found in mid -April 2025, when Pteroodd was used to leave another Powershell Downloader, named Pteroe, Gy, who eventually contacted “ESET.YDNS.[.]The domain to give EU “Cazoor V2 (” Scrss.PS1 “), which was documented by the Palo Alto Network at the end of 2023.
ESET also stated that it also discovered a third attack series on 5 and 6, 2025, referred to a Powerrshel Downloader, which is referred to as Pteropaste, which is being employed to drop and install Kazuar V2 (“EkRN.PS1”) from the domain. “91.231.182[.]187 “On two machines located in Ukraine.” The name EKRN “has been used as a valid binary as” ekrn.exe, “by the danger actors, which is associated with ESET andPoint security products.
“Now we believe with high confidence that the two groups – separated with FSB – are cooperating and that is providing early access to Gamerdon Turla,” said ESET researchers Mathiyu Fau and Zoltan Rousnak.
