Article Title: Unprecedented Cyber Collaboration: Russian and North Korean Hackers Join Forces
In a significant development within the cybersecurity landscape, state-sponsored hacking groups from Russia and North Korea—specifically, Russia-aligned Gamaredon and North Korea’s Lazarus Group—appear to be collaborating by sharing operational infrastructure. This alliance marks a notable shift from their historically independent operations, suggesting a new level of coordination between these two cyber adversaries.
Historical Context and Political Ties
Russia and North Korea have maintained a longstanding relationship characterized by political and military cooperation. In 2024, this partnership was further solidified through a Comprehensive Strategic Partnership, encompassing mutual defense commitments. Reports indicate that North Korean soldiers have been deployed alongside Russian forces in Ukraine, underscoring the depth of their military collaboration.
Discovery of Shared Cyber Infrastructure
On July 28, 2025, security researchers at GenDigital identified a shared IP address linking both APT groups. The server at 144[.]172[.]112[.]106 was initially flagged during routine monitoring of Gamaredon’s Command-and-Control infrastructure, which utilized known Telegram and Telegraph channels. Shortly thereafter, the same server was found hosting an obfuscated version of InvisibleFerret malware, attributed to Lazarus. The malware was delivered through a URL structure consistent with previous Lazarus campaigns, such as the ContagiousInterview operation that targeted job seekers with fraudulent recruitment messages. The payload hash (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d) confirmed its association with Lazarus tooling, matching known samples from earlier attacks.
Implications of the Alliance
The discovery of shared infrastructure between Gamaredon and Lazarus carries significant implications for global cybersecurity. Gamaredon, active since 2013, has primarily focused on cyber espionage against Ukrainian government agencies. In 2021, the Security Service of Ukraine linked the group to Russia’s Federal Security Service (FSB), attributing over 5,000 cyberattacks to Gamaredon. Lazarus, operational since 2009, has shifted from espionage to financially motivated attacks, reportedly stealing over $1.7 billion in cryptocurrency from platforms including Bybit, WazirX, and AtomicWallet.
The malware payload found on the shared server utilized an identical delivery path observed in previous Lazarus operations:
http[://]144[.]172[.]112[.]106/payload/99/81
If confirmed, this overlap between Gamaredon and Lazarus would represent the first documented case of Russian-North Korean cyber collaboration in the wild.
Recommendations for Cybersecurity Defenders
In light of this emerging alliance, cybersecurity teams should enhance infrastructure correlation analysis and prioritize cross-sector intelligence sharing. Detecting such collaborations early is crucial to protecting critical assets from coordinated threats posed by these state-sponsored actors.
