According to TechRepublic, researchers at Gen Threat Labs have uncovered evidence that Russia’s Gamaredon and North Korea’s Lazarus APT groups may be sharing operational infrastructure. On July 28, 2025, their monitoring systems detected activity from Gamaredon’s command-and-control infrastructure at IP address 144[.]172[.]112[.]106. Just four days later, the same server began hosting InvisibleFerret malware attributed to Lazarus Group. The identical delivery structure and close timing between these two distinct state-sponsored threat actors has researchers calling the convergence “too close to ignore.” This represents one of the rare documented cases of APT collaboration across national boundaries.
Why this matters
Here’s the thing – state-sponsored hacking groups traditionally don’t play well with others. They’re like rival gangs with their own turf and methods. Gamaredon works for Russia‘s FSB focusing on espionage and disruption, while Lazarus serves North Korea’s RGB with both espionage and financially motivated attacks. The last time we saw anything like this was the US-UK Regin framework back in 2014. So what’s changed? Basically, both regimes are finding value in cooperation. Lazarus could help Russian operations monetize through cryptocurrency theft, while Russia might provide infrastructure and targeting expertise. It’s a dangerous combination that blurs lines between espionage, criminal activity, and state-sponsored sabotage.
Skepticism and context
Now, I should note this isn’t confirmed joint operations – it’s infrastructure overlap. The IP could theoretically be a proxy or VPN endpoint that both groups happened to use. But the timing is suspiciously close, and the delivery path (/payload/99/81) matches Lazarus’s known playbook exactly. Researchers are also seeing similar patterns elsewhere – Lazarus and Kimsuky sharing infrastructure within North Korea’s intelligence ecosystem, and Indian-linked groups DoNot and SideWinder coordinating against Pakistan. So is this intentional cooperation or just opportunistic resource sharing? Either way, the effect is similar – it makes attribution harder and amplifies their capabilities.
Defense implications
So what does this mean for security teams? Traditional single-group attribution becomes less effective when actors start sharing infrastructure and techniques. The research from Gen Digital suggests focusing on behavior-based detection that tracks shared tactics across groups rather than hunting for specific actor signatures. Organizations need to strengthen identity security with phishing-resistant MFA and implement zero-trust architecture. For industrial and manufacturing environments where operational technology is critical, this kind of blended threat requires particularly robust defenses – which is why companies increasingly turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs designed for secure operations. The bottom line? We’re entering an era where expecting clean attribution and single-actor campaigns is becoming dangerously naive.
