Security researchers at Gen Digital say that two of the world’s most active state-backed hacking groups, Russia’s Gamaredon and North Korea’s Lazarus, may have been working together as part of a cross-border APT collaboration. The findings suggest that Moscow and Pyongyang’s deepening geopolitical partnership may now be extending directly into cyberspace.
“This discovery hints at something much bigger than mere technical overlap. It points to a possible new stage in cyber conflict, where geopolitical alliances are mirrored in shared digital operations,” the company notes in its report.
Gamaredon primarily conducts cyber-espionage and has carried out thousands of attacks, largely against Ukrainian government agencies. Following Russia’s invasion of Ukraine, the group broadened its targeting to include NATO countries in an effort to undermine military support for Ukraine.
Lazarus, active since 2009 and linked to North Korea’s intelligence services, was initially focused on espionage and destructive operations but later shifted toward major financially motivated attacks, especially against cryptocurrency platforms.
According to Gen’s latest analysis, both groups were found using shared servers and nearly identical toolsets, a rare overlap for state-aligned hackers that typically avoid hosting or distributing each other’s malware. Researchers say they found an obfuscated version of Lazarus’ InvisibleFerret malware on a Gamaredon-linked server.
The payload was delivered via an identical server structure previously observed in ContagiousInterview, a Lazarus campaign that targeted job seekers with fake recruitment messages.
“While the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups’ activity and the shared hosting pattern indicate probable infrastructure reuse, with moderate confidence of operational collaboration. Whether Lazarus leveraged a Gamaredon-controlled server or both actors shared the same client instance remains unclear, but the overlap is too close to ignore,” the researchers said.
The finding comes amid accelerating military and political cooperation between Russia and North Korea. Following the renewal of a Comprehensive Strategic Partnership in 2024, Pyongyang has supplied munitions, recognized Russian-claimed Ukrainian territories, and reportedly deployed troops to the frontlines.
This is not the first case of collaboration between APT groups. Gen researchers also observed infrastructure reuse between North Korea’s Lazarus and Kimsuky units, as well as tactical cooperation between India-linked APTs DoNot and SideWinder.