New cybersecurity reports reveal a significant and alarming development in the global threat landscape: Russian and North Korean hackers, specifically the state-sponsored groups Gamaredon and Lazarus, appear to be forming alliances. This potential collaboration, identified through shared operational infrastructure, marks a notable shift from historically isolated state-sponsored cyber activities and raises serious concerns for organizations worldwide.
GenDigital security researchers detected evidence of this collaboration on July 28, 2025. Their monitoring systems identified a shared IP address, 144[.]172[.]112[.]106, that was linked to both Gamaredon’s Command-and-Control infrastructure and Lazarus’s malware. This discovery follows a period of deepening political and military ties between Russia and North Korea, including a renewed alliance and mutual defense commitments established in 2024, and reports of North Korean soldiers deployed alongside Russian forces in Ukraine.
Shared Infrastructure and Malware Delivery Mechanism
The IP address in question was initially flagged while GenDigital was tracking Gamaredon’s operations through known Telegram and Telegraph channels. Just four days later, the same server was found hosting an obfuscated version of the InvisibleFerret malware, which is attributed to the Lazarus group. The malware payload was delivered using a URL structure consistent with previous Lazarus campaigns, such as the ContagiousInterview operation that targeted job seekers via deceptive recruitment messages.
Security researchers confirmed the attribution of the payload hash (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d) to Lazarus tooling, as it matched known samples from earlier attacks. The malware payload utilized an identical delivery path observed in previous Lazarus operations, specifically: http[://]144[.]172[.]112[.]106/payload/99/81.
Gamaredon, active since 2013, has historically focused on cyber espionage targeting Ukrainian government agencies. The Security Service of Ukraine linked the group to Russia’s Federal Security Service (FSB) in 2021, attributing over 5,000 cyberattacks to their operations. In contrast, Lazarus, which has been operational since 2009, has evolved from espionage to conduct financially motivated attacks, reportedly stealing over $1.7 billion in cryptocurrency from platforms including Bybit, WazirX, and AtomicWallet.
If this overlap is definitively confirmed, it would represent the first documented instance of Russian-North Korean cyber collaboration in the wild. This development has significant implications for global cybersecurity defenders, necessitating enhanced infrastructure correlation analysis and prioritization of cross-sector intelligence sharing. The goal is to detect such emerging alliances earlier and bolster defenses against these potentially coordinated threats.
The implications of this potential alliance are far-reaching. For organizations across various sectors, the prospect of two highly sophisticated and prolific state-sponsored hacking groups coordinating their efforts means an elevated and more complex threat environment. Defenders will need to adapt their threat intelligence gathering and analysis to account for shared tactics, techniques, and procedures (TTPs), as well as the potential for increased attack volume and sophisticated evasion methods. The sharing of operational infrastructure could enable both groups to expand their reach, diversify their targets, and potentially achieve greater success in their respective malicious objectives, whether they be espionage, financial gain, or political disruption.
Moving forward, cybersecurity professionals must remain vigilant and proactive. The revelation suggests that the geopolitical alignment between Russia and North Korea may be translating into a more unified cyber offensive capability. While GenDigital’s findings present strong initial evidence, further independent verification and ongoing monitoring will be crucial to fully understand the scope and nature of this burgeoning collaboration. Organizations should focus on strengthening their foundational security practices, including robust endpoint detection and response (EDR), secure network configurations, and regular vulnerability assessments. Moreover, fostering greater information sharing within the cybersecurity community will be paramount in tracking and mitigating the evolving threat posed by these potentially allied APT groups.