Alliances of Convenience: How APTs Are Beginning to Work Together
Summary:
New research from Gen Digital indicates a rare and potentially significant overlap between two major state-sponsored threat actors: Russia-aligned Gamaredon and North Korea’s Lazarus Group. On July 28, 2025, researchers detected a Gamaredon-linked IP address that, within days, was also hosting an obfuscated Lazarus InvisibleFerret payload delivered using infrastructure identical to prior Lazarus campaigns. This overlap, occurring shortly after renewed diplomatic cooperation between Moscow and Pyongyang, suggests possible shared infrastructure or coordinated operational activity. Historically, cross-nation APT collaboration has been almost nonexistent, making this event notable. If validated, it would represent the first known case of Russian–North Korean cyber cooperation.
Security Officer Comments:
The finding also aligns with a broader trend: APT groups increasingly reusing infrastructure within their own national ecosystems. Together, these developments point to a shift toward greater coordination, resource sharing, and operational convergence across both allied states and intra-nation cyber units. While infrastructure reuse could result from proxy/VPN overlap, the tight timing, matching server structure, and alignment with ongoing Russia–North Korea cooperation increase the likelihood of intentional operational convergence. If confirmed, this would mark a major evolution in how allied states conduct cyber operations, moving from parallel activity to shared digital logistics. This partnership could enhance both groups’ capabilities: Gamaredon’s espionage operations may benefit from Lazarus’s expertise in monetizing intrusions, while Lazarus could leverage Russian infrastructure for broader reach or cover. Such collaboration complicates attribution efforts and expands both countries’ offensive options.
Suggested Corrections:
For defenders, this highlights the need to move beyond single-actor attribution models. Shared C2 infrastructure, overlapping TTPs, and modular malware ecosystems mean that organizations may face blended operations where multiple APTs leverage the same resources. Increased cross-sector intelligence sharing, correlation of infrastructure events, and monitoring for reused hosting patterns will be essential as APT alliances become more fluid and strategically driven.
Link(s):
https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025
New research from Gen Digital indicates a rare and potentially significant overlap between two major state-sponsored threat actors: Russia-aligned Gamaredon and North Korea’s Lazarus Group. On July 28, 2025, researchers detected a Gamaredon-linked IP address that, within days, was also hosting an obfuscated Lazarus InvisibleFerret payload delivered using infrastructure identical to prior Lazarus campaigns. This overlap, occurring shortly after renewed diplomatic cooperation between Moscow and Pyongyang, suggests possible shared infrastructure or coordinated operational activity. Historically, cross-nation APT collaboration has been almost nonexistent, making this event notable. If validated, it would represent the first known case of Russian–North Korean cyber cooperation.
Security Officer Comments:
The finding also aligns with a broader trend: APT groups increasingly reusing infrastructure within their own national ecosystems. Together, these developments point to a shift toward greater coordination, resource sharing, and operational convergence across both allied states and intra-nation cyber units. While infrastructure reuse could result from proxy/VPN overlap, the tight timing, matching server structure, and alignment with ongoing Russia–North Korea cooperation increase the likelihood of intentional operational convergence. If confirmed, this would mark a major evolution in how allied states conduct cyber operations, moving from parallel activity to shared digital logistics. This partnership could enhance both groups’ capabilities: Gamaredon’s espionage operations may benefit from Lazarus’s expertise in monetizing intrusions, while Lazarus could leverage Russian infrastructure for broader reach or cover. Such collaboration complicates attribution efforts and expands both countries’ offensive options.
Suggested Corrections:
For defenders, this highlights the need to move beyond single-actor attribution models. Shared C2 infrastructure, overlapping TTPs, and modular malware ecosystems mean that organizations may face blended operations where multiple APTs leverage the same resources. Increased cross-sector intelligence sharing, correlation of infrastructure events, and monitoring for reused hosting patterns will be essential as APT alliances become more fluid and strategically driven.
Link(s):
https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025