Security firm ESET disclosed that Turla and Gamaredon, two of Russia’s most active cyber units, have been observed collaborating on malware campaigns targeting Ukrainian devices in recent months.
Turla is widely regarded as one of the world’s most sophisticated APTs, known for long-running, targeted operations, while Gamaredon pursues broader, rapid data collection against Ukrainian organizations.
Researchers said the groups have been seen installing malware on the same devices or operating in an interoperable way, suggesting Turla may be leveraging Gamaredon’s infrastructure in certain campaigns. In one described scenario, the collaboration resembled a hostile takeover of an attack platform once used by another APT group.
Past campaigns have included Turla hijacking infrastructure and campaigns against Starlink-connected Ukrainian devices, evidence that the two groups can coordinate across a shared operations base rooted in Russia’s FSB, the successor to the KGB.
While ESET stops short of confirming formal government command, it says the findings point to a plausible joint operation and highlight the ongoing risk to Ukrainian networks and critical infrastructure as these actors continue to adapt and cooperate.
