State-sponsored hackers from Russia and North Korea are collaborating on shared infrastructure, marking a significant shift in cyber geopolitics.
Security researchers have uncovered evidence suggesting that Gamaredon, a Russia-aligned advanced persistent threat (APT) group, and Lazarus, North Korea’s primary cyber warfare unit, may be operating jointly a development with profound implications for global security.
Russia and North Korea’s partnership extends well beyond traditional military cooperation. Moscow backed Pyongyang during the Korean War, and in 2024, both nations formalized their alliance through a Comprehensive Strategic Partnership featuring mutual defense commitments.
Since Russia invaded Ukraine in 2022, North Korea has supplied munitions and troops to support Moscow’s military efforts. This ground-level cooperation now appears to have a digital equivalent.
On July 28, 2025, security monitoring systems detected suspicious activity linking Gamaredon and Lazarus through a shared IP address, suggesting operational-level coordination between the two state-backed actors.
This overlap aligns with broader patterns of increasing sophistication and infrastructure diversification among state-sponsored operations, though previous observations were largely confined within national boundaries.
The Technical Evidence
The breakthrough came just days after Moscow and Pyongyang announced new direct passenger flights.
On July 24, 2025, researchers tracking Gamaredon’s Command-and-Control servers identified a suspicious IP address: 144.172.112.106.
Four days later, the same server was found hosting InvisibleFerret malware (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d), a strain directly attributed to Lazarus.
The malware matched Lazarus’s tooling and was delivered through identical server structures previously observed in ContagiousInterview, a Lazarus campaign targeting job seekers with fake recruitment messages.
While the IP could represent a proxy or VPN, the temporal proximity of both groups’ activity and shared hosting patterns indicates probable infrastructure reuse with moderate confidence of actual operational collaboration.
Gamaredon has operated since at least 2013, conducting over 5,000 cyber-attacks primarily against Ukrainian government agencies.
The Security Service of Ukraine attributes group members to Russia’s Federal Security Service (FSB) 18th Information Security Center. With Ukraine’s conflict, Gamaredon expanded operations to target NATO member states, disrupting military aid flows to Kyiv.
Lazarus, active since 2009, operates under North Korea’s government. The U.S. Department of Justice has indicted members connected to North Korea’s Reconnaissance General Bureau (RGB).
While initially focused on espionage and destructive attacks, Lazarus shifted toward financially motivated cryptocurrency theft, including high-profile breaches at Stake.com ($41 million), AtomicWallet ($100 million), WazirX ($235 million), and Bybit ($1.4 billion).
Critical Implications for Global Security
If confirmed, this would represent the first known case of Russian-North Korean cyber collaboration.
Such a partnership could enable operational synergy, with Lazarus’s cryptocurrency expertise helping fund covert operations and Russia benefiting from North Korea’s established infrastructure for financial operations.
The collaboration also expands both nations’ offensive capabilities and escalates the complexity of cyber conflict.
The discovery underscores an urgent need for defenders to adapt detection strategies beyond single-actor attribution.
Security teams must enhance infrastructure correlation analysis, prioritize intelligence sharing across organizations, and implement layered defenses capable of mitigating diverse tactics from multiple threat actors leveraging common resources.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.