HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Russian APT Gamaredon Facilitates Turla Espionage Operations Against Ukrainian Government (2025)

ESET researchers revealed that the Gamaredon group acted as an access broker for Turla, using custom loaders to implant the Kazuar backdoor on Ukrainian military and government networks. The collaboration highlights a sophisticated division‑of‑labor model among state‑aligned actors, raising third‑party risk for vendors serving the region.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 sentinelone.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
sentinelone.com

Russian APT Gamaredon Facilitates Turla Espionage Operations Against Ukrainian Government (2025)

What Happened — ESET researchers presented technical evidence that the Gamaredon group acted as an access broker for the Turla APT, using its custom tools (PteroGraphin, PteroOdd) to implant Turla’s Kazuar backdoor on high‑value Ukrainian military and government systems between February and June 2025. In at least one case Gamaredon restored Turla’s foothold after it had been lost.

Why It Matters for TPRM

  • State‑aligned actors are actively sharing access, increasing the attack surface for any third‑party that supplies software or services to Ukrainian entities.
  • The collaboration demonstrates a “division of labor” model that can be replicated across supply‑chain relationships, making traditional perimeter controls insufficient.
  • Continuous monitoring of threat‑actor tactics is essential for vendors that support government or critical‑infrastructure customers in conflict zones.

Who Is Affected — Government ministries, defense agencies, and any vendors providing network, communications, or cloud services to Ukrainian public‑sector organizations.

Recommended Actions

  • Review contracts with Ukrainian government customers for clauses addressing state‑sponsored threat exposure.
  • Validate that your organization enforces strict email‑security controls (anti‑phishing, DMARC, attachment sandboxing).
  • Implement threat‑intel feeds that flag Gamaredon and Turla indicators of compromise (IOCs) and integrate them into SIEM/EDR.
  • Conduct red‑team exercises that simulate access‑brokerage scenarios to test detection and response.

Technical Notes — The attack chain began with spear‑phishing emails delivering Gamaredon’s lightweight loaders (PteroGraphin/PteroOdd). Those loaders dropped Turla’s Kazuar v2/v3 backdoor, which provides long‑term persistence, credential theft, and lateral movement. No public CVEs were cited; the operation relied on custom, undocumented tooling. Source: SentinelOne Labs – LABScon25 Replay

📰 Original Source
https://www.sentinelone.com/labs/labscon25-replay-gamaredon-x-turla-unveiling-a-2025-espionage-alliance-targeting-ukraine/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →