All news with #turla tag

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.

🕵️ ESET researchers report that Russian state-linked groups Gamaredon and Turla collaborated in 2025 campaigns targeting high-value Ukrainian defense systems. In February, investigators observed Turla issuing commands via Gamaredon implants and Gamaredon's PteroGraphin downloader being used to restart Turla's Kazuar backdoor. Kazuar harvested machine metadata while Gamaredon later deployed Kazuar v2 installers in April and June. ESET assesses with high confidence that the interactions reflect a deliberate operational convergence.

🚨 ESET Research reports the first observed collaboration between Gamaredon and Turla in Ukraine, with telemetry from February to June 2025 showing Gamaredon tools used to deliver and restart Turla’s Kazuar implants. ESET assesses with high confidence that Gamaredon provided initial access and delivery channels while Turla selectively deployed advanced Kazuar implants on higher‑value hosts. The analysis details multiple infection chains involving PteroGraphin, PteroOdd and PteroPaste, and includes technical indicators and remediation guidance.

🔒ESET researchers observed tools from Russian-linked groups Gamaredon and Turla cooperating to deploy the .NET-based Kazuar backdoor on multiple Ukrainian endpoints in early 2025. Gamaredon delivered PowerShell downloaders — PteroGraphin, PteroOdd and PteroPaste — which retrieved Kazuar payloads via Telegraph, Cloudflare Workers domains and direct IP hosting. Analysts assess with high confidence that Gamaredon provided initial access while Turla leveraged the access for espionage, primarily targeting Ukrainian defense-sector assets.