State-sponsored hacking groups have historically operated in isolation, each pursuing its own national agenda. However, new evidence reveals that two of the world’s most dangerous advanced persistent threat (APT) actors may now be working together.
Russia-aligned Gamaredon and North Korea’s Lazarus group appear to be sharing operational infrastructure, marking a significant shift in the global cyber threat landscape.
Russia and North Korea have maintained strong political and military ties for decades. In 2024, both nations renewed their alliance through a Comprehensive Strategic Partnership that includes mutual defense commitments.
North Korean soldiers have reportedly been deployed alongside Russian forces in Ukraine, demonstrating their deepening cooperation on the battlefield.
Gendigital security researchers identified this potential collaboration on July 28, 2025, when their monitoring systems detected a shared IP address linking both APT groups.
The server at 144[.]172[.]112[.]106 was first flagged while tracking Gamaredon’s Command-and-Control infrastructure through known Telegram and Telegraph channels.
.webp "Russian and North Korean Hackers Form Alliances to Attack Organizations Worldwide 3")
Just four days later, the same server was found hosting an obfuscated version of InvisibleFerret malware attributed to Lazarus.
The malware payload was delivered through a URL structure matching previous Lazarus campaigns, specifically the ContagiousInterview operation that targeted job seekers with fake recruitment messages.
The payload hash (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d) confirmed its attribution to Lazarus tooling and matched known samples from earlier attacks.
Shared Infrastructure and Malware Delivery Mechanism
The discovery of shared infrastructure carries major implications for global cybersecurity defenders. Gamaredon has been active since 2013 and focuses primarily on cyber espionage against Ukrainian government agencies.
The Security Service of Ukraine linked the group to Russia’s Federal Security Service (FSB) in 2021, attributing over 5,000 cyberattacks to the group.
Lazarus, operational since 2009, has shifted from espionage to financially motivated attacks, stealing over $1.7 billion in cryptocurrency from platforms including Bybit, WazirX, and AtomicWallet.
The malware payload found on the shared server used an identical delivery path observed in previous Lazarus operations:-
http[://]144[.]172[.]112[.]106/payload/99/81If confirmed, this Gamaredon-Lazarus overlap would represent the first documented case of Russian-North Korean cyber collaboration in the wild.
Security teams should enhance infrastructure correlation analysis and prioritize cross-sector intelligence sharing to detect such emerging alliances early and protect critical assets from these coordinated threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
