APT Collaboration Emerges Between Russia and North Korea

Rare APT Collaboration Emerges Between Russia and North Korea

Rare APT Collaboration Emerges Between Russia and North Korea

Image generated by Google’s Nano Banana

Researchers say Russia’s Gamaredon and North Korea’s Lazarus may be sharing infrastructure — a rare APT collaboration.

Written By
Ken Underhill
Ken Underhill
Nov 26, 2025

A new discovery from Gen Threat Labs indicates that Russia’s Gamaredon and North Korea’s Lazarus may be sharing operational infrastructure — a rare and concerning sign of cooperation between state-sponsored threat actors.

Early analysis shows activity from both threat actors on the same server within days, a convergence researchers describe as “too close to ignore.”

“These partnerships demonstrate a growing trend of resource sharing and tactical alignment within national ecosystems, amplifying the reach and resilience of state-sponsored campaigns,” researchers wrote in a blog post.

Inside the shared infrastructure linking two APTs

On July 28, 2025, Gen’s internal monitoring systems flagged a known Gamaredon command-and-control (C2) address — 144[.]172[.]112[.]106 — after detecting activity tied to the group’s Telegram and Telegraph-based infrastructure.

Four days later, the same IP began hosting an obfuscated variant of InvisibleFerret, a malware family attributed to Lazarus and previously deployed in its ContagiousInterview recruitment-themed campaign.

The server structure and delivery path (/payload/99/81) matched Lazarus’s known playbook.

While the IP could represent a proxy or VPN endpoint, researchers noted the close timing, identical delivery structure, and payload lineage as strong indicators of shared infrastructure.

No CVEs or public exploits are involved; rather, this case centers on infrastructure overlap and threat attribution patterns.

Why cross-nation APT cooperation Is so concerning

Gamaredon conducts espionage and disruption for Russia’s FSB, while Lazarus carries out espionage and financially motivated attacks for North Korea’s Reconnaissance General Bureau (RGB).

Historically, APT groups from separate nation-states have not cooperated, with the last well-documented example being the joint US–UK Regin framework in 2014.

If validated, a Gamaredon–Lazarus collaboration would indicate:

  • Operational synergy: Lazarus could provide monetization pathways for Russian campaigns through cryptocurrency theft.
  • Strategic alignment: Both regimes could leverage shared assets as their geopolitical and military cooperation deepens.
  • Escalation potential: Joint operations blur the lines between espionage, criminal activity, and state-sponsored sabotage.
Advertisement

Must-read security coverage

Growing evidence of APT collaboration

The discovery builds on additional indicators of APT collaboration within national ecosystems:

  • Lazarus and Kimsuky: Researchers found shared IP infrastructure across both RGB-aligned groups, suggesting coordination inside North Korea’s intelligence services.
  • DoNot and SideWinder: Payload chaining between these Indian-linked groups indicates alignment in espionage operations targeting Pakistan — mirroring previous overlaps between Gamaredon and Turla in Russia.

These examples reinforce that APT collaborations — whether intentional or opportunistic — are becoming more common as states centralize cyber capabilities.

Mitigation strategies for blended APT threats

Even without confirmed joint operations, cross-actor infrastructure reuse presents major detection and attribution challenges.

To defend against emerging APT collaborations and shared infrastructure, security teams should take the following actions:

  • Track cross-actor infrastructure by correlating IP reuse, hosting patterns, malware lineage, and DNS shifts across threat groups.
  • Use behavior-based detection that focuses on shared TTPs instead of single-group attribution.
  • Strengthen identity and access security with phishing-resistant MFA, continuous authentication, and cloud/IAM segmentation.
  • Harden critical systems with zero-trust architecture, network segmentation, and endpoint detection capable of handling multi-actor tradecraft.
  • Expand threat hunting and telemetry correlation to identify overlapping indicators tied to groups like Gamaredon and Lazarus.
  • Increase intelligence sharing through ISACs, industry groups, and automated threat intelligence ingestion.
  • Conduct regular red teaming, adversary emulation, and supply chain security reviews to prepare for blended APT operations.

These measures reflect a broader movement toward anticipating hybrid threats that draw from multiple APT playbooks simultaneously.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.