A recent report from ESET reveals that two Russian state-associated cyber threat groups, Gamaredon and Turla, have been coordinating operations to target high-value defense assets in Ukraine. This collaboration highlights a broader strategic culture within Russia’s internal security and national defense apparatus.

Shared Tools and Coordinated Attacks

During several attacks observed in February 2025, ESET researchers discovered that Turla was able to issue commands through implants deployed by Gamaredon. The downloader tool PteroGraphin, traditionally associated with Gamaredon, was used to restart Turla’s Kazuar backdoor malware, suggesting it served as a recovery method in case Kazuar crashed or failed to launch automatically.

Kazuar itself collected sensitive system information, including the computer name, username, running processes, operating system version, and file and directory listings. Later, in April and June 2025, Kazuar v2 installers were deployed directly using Gamaredon’s tools, further supporting evidence of the groups’ collaboration.

“This is the first instance where we have been able to connect these two groups through technical indicators,” ESET researchers stated. They added that the 2022 full-scale invasion of Ukraine likely reinforced this operational convergence, with recent activity concentrated on Ukrainian defense sector targets.

Different Targeting Approaches

Gamaredon and Turla are both linked to the Russian Federal Security Service (FSB) but operate with distinct strategies:

• Gamaredon has compromised hundreds, if not thousands, of machines since 2013, primarily targeting Ukrainian government institutions.
• Turla, active since at least 2004 (and possibly earlier), focuses on highly sensitive, high-profile targets such as governmental and diplomatic entities in Europe, Central Asia, and the Middle East. Its presence has been limited to just a handful of machines in Ukraine over the past 18 months, indicating selective operations.

Both groups are primarily engaged in cyber-espionage, with Gamaredon favoring broad-scale compromise and Turla targeting specific, sensitive assets.

Implications for Cybersecurity

The observed coordination demonstrates an escalation in sophisticated state-linked cyber operations, combining the strengths of multiple groups to maximize impact on targeted sectors. ESET’s findings underscore the importance of continuous monitoring, threat intelligence, and enhanced cybersecurity measures for organizations operating in geopolitical conflict zones.

Source: https://www.infosecurity-magazine.com/news/russian-state-hackers-collaborate