PteroOdd
PteroOdd is a lightweight PowerShell downloader attributed to the Russia-aligned Gamaredon threat actor. It retrieves a single PowerShell payload via the Telegra.ph API and is used to fetch next-stage payloads, command-and-control information, or additional malware. Reporting states it appeared mainly in activity linked to Gamaredon’s operational collaboration with Turla during incidents observed between February and June 2025 targeting Ukrainian government and military organizations. In documented attack chains, Gamaredon deployed PteroGraphin, which downloaded PteroOdd; PteroOdd then retrieved a payload from Telegraph and executed Turla’s Kazuar backdoor. PteroOdd was also reported, together with PteroPaste, to deploy Kazuar v2 installers in April and June 2025, and to help recover or restart Kazuar on previously compromised systems. Additional observed behavior includes dropping another PowerShell downloader, PteroEffigy, and in one case sending system information and installed .NET versions to eset.ydns[.]eu. Related reporting also noted payload staging or delivery associated with Telegraph, a Cloudflare Workers subdomain, and the IP address 91.231.182[.]187 in broader Kazuar deployment chains involving Gamaredon tooling. High-confidence targeting context in the source material is Ukrainian governmental and military institutions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PteroOdd is a tiny downloader used to retrieve a single PowerShell payload via the Telegra.ph API, and based on what we observed, it appears to have been used mainly in cases connected to Gamaredon’s collaboration with Turla.
PteroOdd is a tiny downloader used to retrieve a single PowerShell payload via the Telegra.ph API, and based on what we observed, it appears to have been used mainly in cases connected to Gamaredon’s collaboration with Turla.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Command and Control
3 techniques
Command and Control
They also abused multiple legitimate messaging, social media, blogging, and paste services as dead drops for resolving C&C servers and distributing payloads.
Gamaredon abused multiple legitimate messaging, social media, blogging, and paste services as dead drops for resolving C&C servers... In 2025, Gamaredon abused numerous services in this way: Telegram channels, Telegra.ph, Teletype, rentry.co, write.as, Dropbox, GoFile, DEV Community, Mastodon, lesma, nopaste.net, and Paste.ee.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A lightweight downloader used to fetch next-stage payloads, command-and-control information, or additional malware.
A small downloader that retrieves a single PowerShell payload via the Telegra.ph API; observed mainly in activity connected to Gamaredon's collaboration with Turla.
Gamaredon tooling used to deploy Turla's Kazuar backdoor and support access restoration on compromised systems.
Gamaredon tooling used to facilitate deployment of Turla’s Kazuar backdoor and support access on compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.