editorially independent. We may make money when you click on links
to our partners.
Learn More
A new discovery from Gen Threat Labs indicates that Russia’s Gamaredon and North Korea’s Lazarus may be sharing operational infrastructure — a rare and concerning sign of cooperation between state-sponsored threat actors.
Early analysis shows activity from both threat actors on the same server within days, a convergence researchers describe as “too close to ignore.”
“These partnerships demonstrate a growing trend of resource sharing and tactical alignment within national ecosystems, amplifying the reach and resilience of state-sponsored campaigns,” said the researchers.
Inside the Shared Infrastructure Linking Two APTs
On July 28, 2025, Gen’s internal monitoring systems flagged a known Gamaredon command-and-control (C2) address — 144[.]172[.]112[.]106 — after detecting activity tied to the group’s Telegram and Telegraph-based infrastructure.
Four days later, the same IP began hosting an obfuscated variant of InvisibleFerret, a malware family attributed to Lazarus and previously deployed in its ContagiousInterview recruitment-themed campaign.
The server structure and delivery path (/payload/99/81) matched Lazarus’s known playbook.
While the IP could represent a proxy or VPN endpoint, researchers noted the close timing, identical delivery structure, and payload lineage as strong indicators of shared infrastructure.
No CVEs or public exploits are involved; rather, this case centers on infrastructure overlap and threat attribution patterns.
Why Cross-Nation APT Cooperation Is So Concerning
Gamaredon conducts espionage and disruption for Russia’s FSB, while Lazarus carries out espionage and financially motivated attacks for North Korea’s Reconnaissance General Bureau (RGB).
Historically, APT groups from separate nation-states have not cooperated, with the last well-documented example being the joint U.S. – U.K. Regin framework in 2014.
If validated, a Gamaredon–Lazarus collaboration would indicate:
- Operational synergy: Lazarus could provide monetization pathways for Russian campaigns through cryptocurrency theft.
- Strategic alignment: Both regimes could leverage shared assets as their geopolitical and military cooperation deepens.
- Escalation potential: Joint operations blur the lines between espionage, criminal activity, and state-sponsored sabotage.
Growing Evidence of APT Collaboration
The discovery builds on additional indicators of APT collaboration within national ecosystems:
- Lazarus and Kimsuky: Researchers found shared IP infrastructure across both RGB-aligned groups, suggesting coordination inside North Korea’s intelligence services.
- DoNot and SideWinder: Payload chaining between these Indian-linked groups indicates alignment in espionage operations targeting Pakistan — mirroring previous Gamaredon and Turla overlaps within Russia.
These examples reinforce that APT collaborations — whether intentional or opportunistic — are becoming more common as states centralize cyber capabilities.
Mitigation Strategies for Blended APT Threats
Even without confirmed joint operations, cross-actor infrastructure reuse presents major detection and attribution challenges.
To defend against emerging APT collaborations and shared infrastructure, security teams should take the following actions:
- Track cross-actor infrastructure by correlating IP reuse, hosting patterns, malware lineage, and DNS shifts across threat groups.
- Use behavior-based detection that focuses on shared TTPs instead of single-group attribution.
- Strengthen identity and access security with phishing-resistant MFA, continuous authentication, and cloud/IAM segmentation.
- Harden critical systems with zero-trust architecture, network segmentation, and endpoint detection capable of handling multi-actor tradecraft.
- Expand threat hunting and telemetry correlation to identify overlapping indicators tied to groups like Gamaredon and Lazarus.
- Increase intelligence sharing through ISACs, industry groups, and automated threat intelligence ingestion.
- Conduct regular red teaming, adversary emulation, and supply chain security reviews to prepare for blended APT operations.
These measures reflect a broader movement toward anticipating hybrid threats that draw from multiple APT playbooks simultaneously.
Rising Threat of Cross-Nation APT Collaboration
The potential Gamaredon and Lazarus linkage signals a new phase in cyber geopolitics — one where state-aligned threat actors may adopt shared infrastructure, shared tooling, and shared strategic objectives.
When nations align strategically, their cyber alliances may follow, increasing the sophistication and unpredictability of attacks.
As APT groups evolve through collaboration, defenders must evolve just as quickly — embracing intelligence-driven security, cross-sector coordination, and layered defenses that anticipate emerging threats.
