This briefing covers security developments from Thursday, September 19th, 2025, reviewing 2 articles from 1700 to 1946 hours.
Threat Intelligence.
ESET Research has uncovered the first documented collaboration between two FSB-affiliated APT groups, Gamaredon and Turla, targeting high-profile Ukrainian entities. In February 2025, researchers observed Gamaredon's PteroGraphin tool being used to restart Turla's Kazuar backdoor on a compromised Ukrainian machine, followed by additional deployments in April and June using Gamaredon tools PteroOdd and PteroPaste. This collaboration appears strategic, with Gamaredon's broad compromise capabilities feeding select high-value targets to Turla's more focused operations. Both groups operate under Russia's FSB, with Gamaredon attributed to FSB Center 18 operating from occupied Crimea, while Turla has maintained operations since at least 2004 with previous breaches including the US Department of Defense and Swiss defense company RUAG.
Tools.
The Kazuar v2 backdoor represents Turla's current operational toolset being deployed through this collaborative arrangement. Gamaredon's toolkit includes PteroGraphin for persistence mechanisms, along with PteroOdd and PteroPaste for deployment operations. This marks a significant evolution in how established APT groups are leveraging partnerships to enhance their operational effectiveness, with one group providing initial access and target identification while the other focuses on high-value intelligence collection from selected compromises.