Security researchers at Gendigitalย warn that Russian and North Korean state-backed hackers โ two of the worldโs most aggressive cyber actors โ may be working together for the first time, after discovering that both groups used the same command-and-control server in separate cyberattacks.
A Rare Sign Of Coordination Between Two Major APT Groups
On July 24, 2025, Genโs monitoring systems detected an IP address โ 144[.]172[.]112[.]106 โ while tracking Gamaredonโs known command-and-control servers. Gamaredon, a notorious Russian espionage group known for rapid-fire intrusions, is associated with the Russian Federal Security Service (FSB) and is responsible for more than 5,000 attacks over the last year, mostly targeting Ukraine.
But what happened next surprised the security researchers.
Just four days later, the same server began delivering malware tied to Lazarus, North Koreaโs most dangerous hacking group. Researchers identified the payload as InvisibleFerret, a Lazarus-linked backdoor being delivered through an identical server structure previously seen in ContagiousInterview, a campaign that targeted job seekers with fake recruitment messages.
While itโs possible the server was a proxy or VPN endpoint, the temporal proximity of both groupsโ activity and the timing and identical delivery setup raise the likelihood of shared or sequential control by both groups โ pointing to potential collaboration rather than coincidence.
Why This Discovery Mattersย
If confirmed, this would be the first known instance of RussianโNorthย Korean cyber cooperation in active campaigns. Such partnerships are extremely rare; the most famous past example was Regin, believed to have been co-developed by the U.S. and U.K. intelligence agencies.
If Russia and North Korea are indeed collaborating in cyberspace, it would mark a major shift in how global cyberattacks are conducted, as each group brings powerful strengths:
- Gamaredon (Russia) brings vast espionage experience and rapid deployment, as well as ongoing campaigns targeting government and military networks.
- Lazarus (North Korea) is known for sophisticated financial theft worth more than $1.7 billion, helping finance the countryโs government.
Together, they could blend intelligence gathering, financial theft, and global disruption โ making it harder to understand who is behind an attack or what the objective is.
A Broader Trend Of Hacking Alliances
While cross-border APT collaboration is rare, the GamaredonโLazarus overlap reflects a growing trend of cooperation within national cyber ecosystems.
- A Lazarus-linked IP later surfaced in malware attributed to another North Korean ATP group, Kimsuky, which has been active since around 2012.
- A DoNot malware sample was found loading a component used by SideWinder, both of which are believed to have ties to India and have been active since 2013 and 2012, respectively.
These cases suggest the cyber world may be shifting toward more cooperation or shared resources โ either intentionally or out of operational convenience.
What Security Teams Need To Prepare For
Researchers say defenders must rethink how they identify and classify threats. Instead of assuming a single actor behind an attack, security teams should:
- Track shared servers between groups
- Overlapping domains and URLs
- Malware loaders that are used across different APT teams
- Faster, more unpredictable attacks
A New Phase Of Cyber Warfare?
The discovery is alarming, as alliances between powerful nation-state hacking groups are exceptionally rare. As Russia and North Korea grow closer politically and militarily, researchers say this new pattern could be the first signal that the partnership now extends into cyberspace.
If so, experts warn, the era of isolated hacking groups may be coming to an end โ paving the way for a new wave of cyber threats that could be far more coordinated than before.
