Russia–North Korea APT Collaboration? Researchers Spot a Shared IP Linking Gamaredon and Lazarus

Listen to this Post

Featured Image

Introduction

A quiet but unsettling discovery has rippled through the cybersecurity world: a single shared IP address connecting two of the planet’s most aggressive threat actors — Russia-aligned Gamaredon and North Korea’s notorious Lazarus Group. The finding emerged after researchers spotted an obfuscated InvisibleFerret payload hosted on infrastructure tied to both operations. What might look like a technical footnote has already triggered serious questions among analysts. Does this signal coordinated activity? Resource sharing? Or a new phase of offensive cooperation among states that rarely broadcast their partnerships? The report has drawn attention far beyond threat-intel circles, hinting at shifting alliances and escalating global cyber pressure.

the Original

Researchers revealed a concerning link between two major advanced persistent threat groups: Russia-aligned Gamaredon and North Korea’s Lazarus, noting that both operations appear to be connected through a shared IP address.
Gamaredon, known for rapid-fire phishing campaigns and intelligence gathering operations, has traditionally operated within Russia’s strategic interest zones. Lazarus, meanwhile, is infamous for cryptocurrency heists, destructive malware attacks, and long-term infiltration campaigns tied to North Korea’s financial and geopolitical objectives.
The shared IP was discovered while analyzing an obfuscated InvisibleFerret payload — a stealthy component believed to support reconnaissance, persistence, or data exfiltration. InvisibleFerret’s concealed nature and modular behavior made the IP overlap especially suspicious, suggesting this was not a coincidence or infrastructure reuse by random threat actors.
The finding opens multiple interpretations. One possibility is direct coordination between the two APTs, which would be significant given their historically separated missions. Another angle involves covert infrastructure leasing or proxy use, potentially indicating a third actor or shadow facilitator behind both operations.
Security analysts warn that if cooperation is real, it may enable faster malware development cycles, shared exploitation frameworks, and cross-country operational support that raises the stakes for global cyber defense teams.
The discovery comes from a report shared by Cybersecurity News Everyday, referencing hendryadrian.com, and has quickly gained traction within cyber-threat communities. The news spread across social media platforms, catching the attention of researchers tracking geopolitical cyber strategies.
Although visibility remains limited, the presence of the InvisibleFerret payload and the involvement of two nation-aligned operations suggest a deliberate setup rather than accidental crossover.
Gamaredon’s infrastructure is often noisy and quickly replaced after discovery, while Lazarus tends to operate with long-term persistence and deeply customized malware chains. The shared IP therefore signals a potential shift in how state-backed groups may align resources or exchange tools under the radar.
Industry experts note that overlaps in APT infrastructure are extremely rare unless there is intentional collaboration, infrastructure brokering, or a misdirection tactic designed to confuse investigators.
The broader cybersecurity community continues analyzing artifacts, network telemetry, and historical campaigns to determine whether this represents a new hybrid threat model where adversaries combine their strengths for greater impact.
If proven, such cooperation could reshape threat-intelligence priorities and defensive strategies for years to come. The observation has already become a key topic among analysts watching the evolving landscape of state-linked cyber warfare.

What Undercode Say:

The link between Gamaredon and Lazarus is more than a technical coincidence. It reflects the direction modern cyber-espionage is taking — a convergence of purpose, infrastructure, or at the very least, operational convenience. Shared IPs are rare among experienced APTs, especially ones backed by governments that usually guard their infrastructure with caution.
What makes this case more striking is the payload involved. InvisibleFerret is not a commodity malware family circulating in underground markets; it is a specialized, tightly controlled asset. Its presence on shared infrastructure indicates either intentional collaboration or the involvement of a shared facilitator acting between Moscow- and Pyongyang-aligned assets.
Gamaredon’s operational style is fast, aggressive, and often messy. Their campaigns prioritize volume and disruption. Lazarus operates with patience, stealth, and technical sophistication. If these two tendencies merge, defenders may face a hybrid threat capable of both rapid initial compromise and long-term persistence.
The infrastructure overlap could also represent a strategic pivot: threat actors uniting around common interests. Russia and North Korea have increasingly formed political and economic ties, and cyber cooperation would be a logical extension of these alliances. Cyber operations allow plausible deniability, rapid capability sharing, and flexible execution that avoids direct confrontation.
Another interpretation is the rise of infrastructure brokers — shadow intermediaries who lease servers, networks, and access points on demand. These brokers may have provided the IP to multiple APTs either knowingly or unknowingly, creating a veneer of collaboration where none exists.
Still, the presence of obfuscation layers around InvisibleFerret hints at a unified effort to conceal activity across teams. This isn’t sloppy reuse; it’s deliberate, layered engineering.
If the overlap continues or expands, we may witness the birth of a multi-state offensive framework, pooling the strengths of multiple high-impact actors. Such a development would dramatically complicate attribution and response efforts.
Defenders should prepare for malware families that combine Gamaredon’s swift propagation methods with Lazarus’s stealthy financial reconnaissance tools.
The stakes are rising. APT ecosystems are mutating, and state-sponsored groups appear more willing to experiment with unconventional operational partnerships. Whether this link is collaboration, misdirection, or shared outsourcing, it signals a deeper evolution in the global threat landscape — one that security teams must analyze with fresh eyes.

Fact Checker Results

Shared IP link between Gamaredon and Lazarus is supported by researcher findings. ✅

The presence of an InvisibleFerret payload on the shared infrastructure is confirmed in circulating reports. ✅

No official confirmation exists proving political cooperation between Russia and North Korea. ❌

Prediction

If the shared IP reflects genuine collaboration, expect future campaigns featuring blended techniques and faster operational tempo.
We may see InvisibleFerret evolve into a cross-APT toolkit with broader capabilities.
Global cyber-defense teams will likely prioritize deeper behavioral analysis over attribution as APT identities blur.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon