Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

PteroGraphin

PteroGraphin is a Gamaredon PowerShell tool first discovered in August 2024. It is used to establish persistence and deliver additional payloads on compromised systems. Early versions used an uncommon persistence mechanism based on Microsoft Excel add-ins; later versions replaced that method with scheduled tasks, and some reporting describes both Excel add-ins and scheduled tasks being used. PteroGraphin uses the Telegraph API for command-and-control or an encrypted payload-delivery channel.

The malware is part of Gamaredon’s broader toolset used in cyberespionage operations targeting Ukraine, particularly governmental, military, defense, law-enforcement, and related organizations. Gamaredon commonly gains access through spearphishing and malicious LNK-based infection chains, although the initial access vector in the specific PteroGraphin-linked co-compromise cases was not confirmed.

Across incidents observed between February and June 2025, ESET reported that Gamaredon tooling including PteroGraphin was used on Ukrainian systems in operations associated with Turla. In these cases, PteroGraphin and related Gamaredon tools were used to deploy or help recover Turla’s Kazuar backdoor; in at least one case, PteroGraphin was used as a recovery method to restart Kazuar, likely after a crash or failed autostart. Reporting also describes an attack chain in which PteroGraphin downloaded the PowerShell downloader PteroOdd, which then retrieved a payload from Telegraph to execute Kazuar. Additional reported infrastructure and indicators tied to related activity include exfiltration of the victim computer name and system drive volume serial number to a Cloudflare Workers subdomain, system profiling sent to eset.ydns[.]eu, and Kazuar v2 delivery from 91.231.182[.]187. ESET also noted that PteroGraphin contains a hardcoded token allowing modification of C2 pages.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

PteroGraphin : Discovered in August 2024, this PowerShell tool initially used an uncommon persistence method involving Microsoft Excel add-ins. It creates an encrypted communication channel for payload delivery, through the Telegraph API.

via eset welivesecurity blogwelivesecurity.com
Turla

PteroGraphin is a PowerShell tool that uses Microsoft Excel add-ins and scheduled tasks as a persistence mechanism and uses the Telegraph API for command-and-control (C2). It was first discovered in August 2024.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

Gamaredon is known for using spearphishing and malicious .lnk files on removable drives, thus one of these was the most likely compromise vector.

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

Later versions simplified persistence by using scheduled tasks instead.

T1059Command and Scripting InterpreterEvidence4

Across incidents observed between February and June 2025, Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after the group appeared to have lost its foothold.

T1059.001PowerShellEvidence1

using malicious LNK files to execute PowerShell commands directly from Cloudflare-generated domains

Persistence

2 techniques
T1053.005Scheduled TaskEvidence1

Later versions simplified persistence by using scheduled tasks instead.

T1137.006Add-insEvidence1

PteroGraphin : Discovered in August 2024, this PowerShell tool initially used an uncommon persistence method involving Microsoft Excel add-ins.

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

Later versions simplified persistence by using scheduled tasks instead.

Stealth

1 technique
T1218System Binary Proxy ExecutionEvidence1

In February 2025, Gamaredon’s PteroGraphin tool was used as a recovery method to restart Turla’s Kazuar espionage implant, likely after it crashed, ESET says.

Command and Control

1 technique
T1568Dynamic ResolutionEvidence1

introducing new external platforms such as Codeberg repositories to dynamically distribute command and control (C&C) server information

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
malware newsNews
Jun 2, 2026
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine - Malware Analysis - Malware Analysis, News and Indicators

Gamaredon tooling used to facilitate deployment of Turla's Kazuar backdoor on compromised Ukrainian targets.

Read more
sentinelone labsNews
May 14, 2026
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine | SentinelOne

Gamaredon tooling used to facilitate deployment of Turla’s Kazuar backdoor on compromised systems.

Read more
securityaffairsNews
Sep 21, 2025
ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

Gamaredon implant/tooling used during intrusions; the report notes it contains a hardcoded token that allows modifying C2 pages, relevant to hypotheses about potential infrastructure hijacking.

Read more
the hacker newsNews
Sep 19, 2025
Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine

A Gamaredon PowerShell tool used for persistence (Excel add-ins, scheduled tasks) and C2 via the Telegraph API; observed being used to launch/restart Turla's Kazuar backdoor and to download follow-on payloads.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.