Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
Play Count: Loading... Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report Play Count: Loading...Beginning in January 2025, two Russian state-linked APT groups — Turla (aka Waterbug, Venomous Bear) and Gamaredon (aka Primitive Bear, Actinium) — launched a coordinated cyber-espionage campaign targeting Ukrainian government, defense, and diplomatic sectors.
This collaboration bridges Gamaredon’s broad-access intrusion capabilities with Turla’s advanced Kazuar backdoor, enabling deep, sustained espionage operations. The campaign reflects the convergence of Russia’s intelligence apparatus (FSB Center 16 and Center 18) and their strategic focus on long-term intelligence collection in Ukraine.
Timeline of Operations:
Jan 2025: Gamaredon deployed PteroGraphin on Ukrainian systems.
Feb 2025: PteroGraphin retrieved PteroOdd, which launched Kazuar v3 backdoor.
Feb–Apr 2025: Multiple payloads executed Kazuar in repeated waves, demonstrating persistent re-infection techniques.
Jun 2025: Additional Kazuar v2 deployments using Gamaredon installers.
Gamaredon Toolset:
PteroGraphin: Establishes persistence via Excel add-ins and scheduled tasks, using the Telegraph API for C2 communication.
PteroOdd & PteroPaste: Deliver secondary payloads, restart Kazuar sessions, and maintain lateral movement.
Other Tools: PteroLNK, PteroStew, PteroEffigy expand reach and control.
Turla’s Kazuar v3:
Advanced C# espionage implant used since 2016.
Capable of executing commands, stealing data, and enabling long-term access.
Deployed strategically once Gamaredon secured system footholds.
This joint operation highlights sophisticated alignment between Russian threat actors, where Gamaredon gains initial access and Turla performs advanced post-compromise operations.
Enhanced Endpoint Monitoring: Deploy advanced EDR solutions to detect Kazuar backdoor activity, PowerShell script execution, and suspicious scheduled tasks.
Network & C2 Analysis: Monitor outbound traffic, focusing on Telegraph API calls and anomalous beaconing patterns.
Segmentation & Access Control: Isolate sensitive networks, enforce MFA, and apply strict privilege management to minimize lateral movement risks.
Patch Management & Hardening: Keep Microsoft Office, Windows, and supporting infrastructure fully patched; enforce least-privilege policies.
SHA256
3ecb09e659bcb500f9f40d022579a09acb11aec3a92c03e7d3fd2e56982d9eea
Filenames
scrss.ps1
ekrn.ps1
Sandboxie.vbs
SHA1 Hashes (Samples)
7db790f75829d3e6207d8ec1cbcd3c133f596d67
2610a899fe73b8f018d19b50be55d66a6c78b2af
3a24520566bbe2e262a2911e38fd8130469ba830
IPv4 Addresses
64[.]176[.]173[.]164
85[.]13[.]145[.]231
91[.]231[.]182[.]187
185[.]118[.]115[.]15
Domains
lucky-king-96d6[.]mopig92456[.]workers[.]dev
eset[.]ydns[.]eu
hauptschule-schwalbenstrasse[.]de
ekrn[.]ydns[.]eu
Resource Development: T1583 (Acquire Infrastructure), T1584 (Compromise Infrastructure), T1608 (Stage Capabilities)
Initial Access: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell)
Persistence: T1574 (Hijack Execution Flow), T1574.001 (DLL Sideloading)
Defense Evasion: T1036 (Masquerading), T1036.005 (Match Legitimate Resource Name), T1480.001 (Environmental Keying)
Discovery: T1057 (Process Discovery), T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1012 (Query Registry)
Command & Control: T1071 (Application Layer Protocol), T1071.001 (Web Protocols), T1573 (Encrypted Channel), T1102 (Web Service)
Get through updates and upcoming events, and more directly in your inbox
Learn how to reduce your exposure to imminent risk & Network with Industry Peers
Hosted by former CISO, Al Lindseth and Threat Exposure Evangelist, Critt Golden.
Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del Friscos Double Eagle Steakhouse, Houston TX
