The big picture: Russian cyberespionage groups long tracked separately for their differing methods now appear to be working in tandem in a series of recent attacks on Ukraine, according to new research from security firm ESET. Evidence gathered over the past several months suggests that Turla – one of Moscow's most technically advanced threat actors – has been operating on systems first compromised by Gamaredon, a group known for noisy, large-scale campaigns against Ukrainian targets.
ESET reported that in February it identified four Ukrainian machines compromised by both groups. On those systems, Gamaredon deployed its usual suite of malware families – PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin – while Turla installed its proprietary Kazuar backdoor.
Researchers observed Turla operators issuing commands through Gamaredon implants, including one case in which PteroGraphin appeared to be used to restart Kazuar after it failed to load properly.
Similar integration reappeared in April and June, when ESET documented Gamaredon malware deploying Kazuar version two installers. Because ESET software was installed only after the initial compromises, the firm could not determine how the infections began or capture every payload involved. Still, given the consistency of these interactions and the fact that Turla's past activity in Ukraine had appeared only sporadically, researchers concluded that direct collaboration was more likely than infrastructure hijacking.
The apparent convergence between the groups is striking because their operating styles have historically diverged so sharply. Turla, active since at least 2004, has traditionally targeted high-value networks using stealthy tactics designed to remain undetected for years. Past operations attributed to the group include the 2008 breach of the Pentagon's classified systems, compromises at Germany's Foreign Office, France's military, and Swiss defense contractor RUAG, as well as technical innovations such as Linux malware and the hijacking of satellite internet traffic to conceal command-and-control activity.
Gamaredon, by contrast, has waged broad and often crude attacks against Ukrainian government agencies and infrastructure since at least 2013, according to repeated findings by the Security Service of Ukraine and outside researchers. Its methods, typically spearphishing emails and malicious shortcut files, rarely emphasize stealth. Instead, Gamaredon implants sweep up information quickly, often infecting hundreds or even thousands of machines at a time.
ESET noted that Turla has previously taken over infrastructure belonging to other hacking groups, including a 2019 incident in which it co-opted an Iranian-linked espionage platform, and again in 2024 when it hijacked financially motivated groups' infrastructure to target Starlink-connected devices in Ukraine. Against that backdrop, a hostile takeover of Gamaredon systems could not be ruled out.
Still, ESET concluded it is more likely that Gamaredon deliberately ceded access in Ukraine to its counterpart. Both groups are widely assessed to be units of Russia's Federal Security Service, though based in different centers.
Ukrainian officials have tied Gamaredon to Center 18, which reports to the FSB's counterintelligence service, while British and other Western intelligence bodies associate Turla with Center 16, the agency's main signals intelligence arm.
Given that alignment, researchers said, Gamaredon's sweeping compromises could easily provide an entryway for Turla to pursue more targeted espionage. ESET speculated that Turla is interested only in select systems holding sensitive intelligence, leaving Gamaredon's broader infections in place for other purposes.
This is not the first sign of coordination among Russian-linked groups. In 2020, investigators documented Gamaredon granting access to a separate outfit known as InvisiMole. And while reports of rivalry within Russia's intelligence community are frequent, especially between agencies such as the GRU and the FSB, cooperation between divisions of the same service has been observed before.
Historical ties help explain the overlap. Turla's Center 16 traces its lineage to the KGB's 16th Directorate, once responsible for foreign signals intelligence, while Gamaredon's Center 18 is linked to the KGB's 2nd Chief Directorate, which oversaw internal security. During the Soviet era, the two directorates often collaborated, most notably in monitoring foreign embassies in Moscow.
With Russia's war on Ukraine ongoing, researchers believe that convergence has only intensified. Ukrainian cyber defenders had already reported joint FSB campaigns blending elements of both centers after 2018, years before the conflict escalated in 2022.
The latest evidence from ESET suggests that this collaboration now extends into the technical core of FSB-linked attack operations, and that the long-standing divide between Gamaredon's scattershot strategy and Turla's precision espionage may be eroding.
Russian hacking groups long seen as rivals now appear to be teaming up in Ukraine
