Breaking News: ESET has uncovered a shocking collaboration between two highly sophisticated Russian-linked APT groups, Gamaredon and Turla, in cyberattacks on Ukraine. The revelation comes at a time of heightened geopolitical tension between Russia and Ukraine.

The APT group Gamaredon (also known as Shuckworm, Armageddon, Primitive Bear, ACTINIUM, and Callisto) has been actively targeting government, law enforcement, and defense organizations in Ukraine since 2013. Gamaredon is linked to Center 18, a branch of the KGB's 2nd Directorate for internal security.

Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON) has been active since at least 2004, targeting diplomatic and government organizations and private businesses in various regions. Turla originates from FSB’s Center 16, the successor of the KGB's 16th Directorate focused on foreign intelligence.

While Russian agencies compete fiercely, groups within the same service often cooperate. This rare collaboration between Gamaredon and Turla showcases how different threat actors can coordinate to maximize impact, increasing the sophistication and persistence of attacks against critical Ukrainian systems.

In early 2025, ESET detected four co-compromises in Ukraine where Gamaredon deployed multiple tools like PteroLNK and PteroGraphin, while Turla installed Kazuar malware. On one system, Turla even used Gamaredon’s implant to restart Kazuar, proving the active collaboration between the two cyberespionage groups.

Gamaredon first breached four Ukrainian machines in January 2025, then Turla deployed Kazuar v3 during the following month. The last Turla case before this dated back to February 2024. This coordination highlights Gamaredon's history of sharing access with other actors like InvisiMole and Turla often hijacking others' infrastructure.

Analysts believe that Gamaredon handed Turla access to select machines, enabling Kazuar operations. Alternatively, it is possible that Turla compromised Gamaredon's tools or Gamaredon secretly used Kazuar itself. However, given both groups' connections to the Russian FSB (Gamaredon – Center 18 and Turla – Center 16), the most likely scenario is that Gamaredon provided access to Turla operators.

Experts emphasize that this collaboration marks a significant shift in the tactics, techniques, and procedures (TTPs) used by Russian-backed APT groups. It underscores the evolving nature of cybersecurity threats and the need for heightened vigilance among organizations and individuals.

ESET has released indicators of compromise (IoCs) and samples for the attacks it has investigated. If you suspect your systems are compromised or have been targeted by a similar attack, please contact ESET's incident response team immediately.

Stay informed about emerging threats and cybersecurity news by following me on Twitter: @securityaffairs and Facebook and Mastodon