Discovery of the Collaboration

ESET researchers, while analyzing compromised devices, ⁣discovered that Turla was issuing⁤ commands through Gamaredon implants. Specifically, ESET ‍software detected the use of⁢ PteroGraphin to restart‌ Kazuar, a proprietary malware used​ by Turla. This suggests PteroGraphin was employed as a recovery mechanism for Kazuar, potentially after crashes⁤ or failed automatic launches. ⁢ ESET details this “first chain” of evidence, marking the first time a technical link has been established ⁣between the two groups.

Deployment of Kazuar by Gamaredon

Further evidence emerged‌ in April and June, when ESET detected Gamaredon malware deploying installers‍ for‌ Kazuar v2. Unfortunately,ESET software was ⁣installed on the compromised systems ⁢*after* the payloads ‌were delivered,preventing full recovery ‌of‍ the​ malicious code. Despite this limitation, ESET believes the repeated instances⁢ strongly indicate an active collaboration between ⁢turla and‌ gamaredon.

Potential Motives and Targets

ESET speculates that Turla’s interest ‌lies‌ in specific, highly sensitive intelligence. ‌ Gamaredon is known for compromising ⁤a large‍ number of machines -⁢ potentially thousands -‍ suggesting they act as a broad reconnaissance and access provider. Turla likely leverages ⁣this access ‍to target systems containing valuable data. This division of labor allows Turla to focus its resources on the most promising targets.

Background on the Threat Actors

Turla (Snakebite)

Turla, also ⁢known as⁣ Snakebite, is a sophisticated threat actor‍ believed to be affiliated with Russian intelligence services. They are ⁣known for their advanced persistent threat (APT) activities, targeting governments, military organizations, and research institutions worldwide. ⁤ Turla’s toolkit includes custom malware like⁤ Kazuar and ‍a variety of sophisticated techniques for ‍evading detection.

Gamaredon (Armageddon)

Gamaredon,⁣ also known as ‌Armageddon,