Gen Blogs | gendigital.com
Threat Research Team
November 19, 2025
State-sponsored hacking groups typically operate in isolation, each advancing its own nation’s goals. That’s why any sign of collaboration between them is cause for concern. Yet new evidence uncovered by Gen researchers suggests that two of the world’s most aggressive advanced persistent threat (APT) actors, Russia-aligned Gamaredon and North Korea’s Lazarus, may be operating on shared infrastructure.
This discovery hints at something much bigger than mere technical overlap. It points to a possible new stage in cyber conflict, where geopolitical alliances are mirrored in shared digital operations.
From allies on the battlefield to partners online
Russia and North Korea have maintained a long-standing partnership rooted in shared political and military interests. Moscow backed Pyongyang during and after the Korean War, and in 2024 both nations renewed that alliance through a Comprehensive Strategic Partnership that includes mutual defense commitments.
Since 2022, Pyongyang has stepped up its support for Moscow, formally recognizing Russian-claimed territories in Ukraine and reportedly supplying munitions and troops. In 2024, Reuters reported that North Korean soldiers had been deployed to fight alongside Russian forces in Ukraine, a striking example of the two countries’ deepening cooperation.
Now, we may be witnessing a digital extension of that alliance. On July 28, 2025, Gen’s internal monitoring systems detected a suspicious event linking Gamaredon and Lazarus activity through a shared IP address. The implications are significant: two state-backed actors from different countries may be coordinating at an operational level.
This development aligns with broader patterns highlighted in the Q3/2025 Threat Report, where state sponsored operations showed increasing sophistication, coordination, and diversification of infrastructure. While those observations were confined within national ecosystems, the Gamaredon–Lazarus overlap suggests that similar dynamics may now be emerging across national boundaries.
Background
Gamaredon
Gamaredon is a Russian-aligned APT active since at least 2013, primarily focused on cyber espionage. In 2021, the Security Service of Ukraine issued a press release, attributing several members of the group as part of Russia's Federal Security Service (FSB) 18th Information Security Center. Since its official inception, the group is believed to have conducted more than 5000 cyber-attacks, most of which targeted Ukrainian government agencies. However, with the onset of war in Ukraine, ESET reported that Gamaredon expanded its operations to include NATO member states, likely aiming to disrupt military aid to Ukraine, underscoring the group’s prioritization of hybrid warfare.
Lazarus
Lazarus is a state-sponsored threat actor active since 2009 and widely believed to operate under North Korea’s government. Initially focused on cyber espionage and destructive attacks, Lazarus later shifted toward financially motivated operations to fund future campaigns. In 2021, the United States Department of Justice indicted three members believed to be part of the Lazarus group, connecting them to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. With the rise of cryptocurrency, Lazarus increasingly targeted digital assets, as evidenced by high-profile breaches such as Stake.com ($41 million), AtomicWallet ($100 million), WazirX ($235 million), and Bybit ($1.4 billion).
Where Gamaredon spies, Lazarus steals, but both ultimately serve their governments’ strategic interests.
The discovery: a shared digital footprint
Just one day after the announcement of new direct flights between Moscow and Pyongyang, Gen identified indicators of a potential collaboration between the Gamaredon and Lazarus APTs. On July 24, 2025, our system tracking Gamaredon’s Command-and-Control (C2) servers via known Telegram and Telegraph channels blocked an IP address:
144[.]172[.]112[.]106
Four days later, during a routine check, the same server was found hosting an obfuscated version of InvisibleFerret (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d), a malware strain attributed to Lazarus. The payload matched Lazarus’ tooling and was delivered through an identical server structure (URL: http[://]144[.]172[.]112[.]106/payload/99/81) previously seen in ContagiousInterview, a Lazarus campaign that targeted job seekers with fake recruitment messages. While the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups’ activity and the shared hosting pattern indicate probable infrastructure reuse, with moderate confidence of operational collaboration. Whether Lazarus leveraged a Gamaredon-controlled server or both actors shared the same client instance remains unclear, but the overlap is too close to ignore.
Implications for the global threat landscape
Cross-country collaborations in the APT ecosystem remain exceptionally rare. The last widely acknowledged example dates back to 2014 with the Regin malware, reportedly co-developed by the U.S. National Security Agency (NSA) and the U.K.’s Government Communications Headquarters (GCHQ).
If confirmed, the Gamaredon–Lazarus overlap would represent the first known case of Russian–North Korean cyber collaboration in the wild.
Such a partnership could have wide-ranging implications:
Operational synergy: Lazarus’s expertise in monetizing cyberattacks through cryptocurrency theft could help Gamaredon fund or conceal future operations.
Strategic alignment: Russia, facing mounting economic and military pressure, could benefit from North Korea’s established infrastructure for covert financial operations.
Escalation potential: This kind of collaboration blurs the line between espionage, sabotage, and organized cybercrime, expanding both nations’ offensive reach.
Not an isolated case: national ecosystems are merging
While cross-border APT collaboration is rare, cooperation within national ecosystems has become increasingly common.
Lazarus x Kimsuky
Kimsuky is another North Korean APT group. It has been active since around 2012 and assessed by Mandiant to operate under the RGB. The group specializes in advanced cyber-espionage campaigns, primarily targeting government entities and consumer-facing organizations.
During analysis of Lazarus’ ContagiousInterview payloads, Gen researchers found that an IP address (216[.]219[.]87[.]41) later reappeared in Kimsuky-linked payloads (e.g., cce27340fd6f32d96c65b7b1034c65d5026d7d0b96c80bcf31e40ab4b8834bcd). This suggests infrastructure reuse or coordination between RGB units, evidence of alignment at North Korea’s national level.
DoNot x SideWinder
DoNot and SideWinder are state-sponsored APT groups believed to have been active since 2013 and 2012, respectively, both with ties to the Indian government and a primary focus on cyber espionage.
Gen identified a DoNot-attributed payload (8bb089d763d5d4b4f96ae59eb9d8f919e6a49611c183f636bfd5c01696447938) that later executed a known SideWinder loader (f4d10604980f8f556440460adc71883f04e24231d0a9a3a323a86651405bedfb). The victim was located in Pakistan, consistent with the typical targeting profile of both groups. This cooperation resembles the previously observed Gamaredon x Turla collaboration, indicating that intra-country partnerships are becoming a tactical norm.
A new phase in cyber geopolitics
The evidence of infrastructure overlap between Lazarus and Gamaredon represents a significant development in the global threat landscape. Historically, cross-country APT collaborations have been exceedingly rare, with only a handful of confirmed cases such as Stuxnet and Regin. This potential partnership signals a shift toward more complex and unpredictable alliances, where geopolitical interests may drive operational convergence.
While the Lazarus–Gamaredon case stands out for its strategic implications, the observed intranational collaborations, such as Lazarus with Kimsuky and DoNot with SideWinder, are equally important. These partnerships demonstrate a growing trend of resource sharing and tactical alignment within national ecosystems, amplifying the reach and resilience of state-sponsored campaigns.
For defenders, these findings underscore an urgent need to adapt detection strategies beyond single-actor attribution. Shared infrastructure, overlapping TTPs, and modular malware frameworks mean that traditional attribution models may fail to capture the full scope of risk. Security teams must:
Enhance infrastructure correlation analysis to detect cross-group overlaps early.
Prioritize intelligence sharing across organizations and sectors to identify emerging alliances.
Implement layered defenses capable of mitigating diverse tactics from multiple threat actors leveraging common resources.
The era of isolated APT operations is fading. As adversaries evolve through collaboration, defenders must respond with equal agility and cooperation to safeguard critical assets.
Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster.
In today’s cyberthreat landscape, even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware. One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms. This, in turn, can reduce confidence, complicate analysis, and delay response. As outlined in the National Institute of Standards and Technology’s (NIST) guidance on threat sharing (SP 800-1501), aligning how we describe and categorize cyberthreats can improve understanding, coordination, and overall security posture.
That’s why we are excited to announce that Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies. By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence.
Read about Microsoft and Crowdstrike’s joint threat actor taxonomy
Names are how we make sense of the threat landscape and organize insights into known or likely cyberattacker behaviors. At Microsoft, we’ve published our own threat actor naming taxonomy to help researchers and defenders identify, share, and act on our threat intelligence, which is informed by the 84 trillion threat signals that we process daily. But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor. Our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action.
Introducing a collaborative reference guide to threat actors
Microsoft and CrowdStrike are publishing the first version of our joint threat actor mapping. It includes:
A list of common actors tracked by Microsoft and CrowdStrike mapped by their respective taxonomies.
Corresponding aliases from each group’s taxonomy.
This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play. This reference guide helps to:
Improve confidence in threat actor identification.
Streamline correlation across platforms and reports.
Accelerate defender action in the face of active cyberthreats.
This effort is not about creating a single naming standard. Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.
EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems.
EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221 [2], UNC5174 [3], and CL-STA-0048 [4] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers assess that these groups connect to China's Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide.
Uncategorized China-Nexus Threat Actor Scanning the Internet for CVE-2025-31324 and Upload Webshells
EclecticIQ analysts assess with high confidence that, a very likely China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. Threat actor–controlled server hosted at IP address 15.204.56[.]106 exposed the scope of the SAP NetWeaver intrusions [5].
La France condamne avec la plus grande fermeté le recours par le service de renseignement militaire russe (GRU) au mode opératoire d’attaque APT28, à l’origine de plusieurs cyber-attaques contre des intérêts français.
Depuis 2021, ce mode opératoire d’attaque (MOA) a été utilisé dans le ciblage ou la compromission d’une dizaine d’entités françaises. Ces entités sont des acteurs de la vie des Français : services publics, entreprises privées, ainsi qu’une organisation sportive liée à l’organisation des Jeux olympiques et paralympiques 2024. Par le passé, ce mode opératoire a également été utilisé par le GRU dans le sabotage de la chaîne de télévision TV5Monde en 2015, ainsi que dans la tentative de déstabilisation du processus électoral français en 2017.
APT28 est aussi employé pour exercer une pression constante sur les infrastructures ukrainiennes dans le contexte de la guerre d’agression menée par la Russie contre l’Ukraine, notamment lorsqu’il est opéré par l’unité 20728 du GRU. De nombreux partenaires européens ont également été visés par APT28 au cours des dernières années. À ce titre, l’UE a imposé des sanctions aux personnes et entités responsables des attaques menées à l’aide de ce mode opératoire.
North Korea is behind the massive crypto hack, according to several blockchain monitoring firms and a well-known researcher
The department notified lawmakers of the episode, which it said was linked to a state-sponsored actor in China.
In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them
Treasury officials attributed the December theft of unclassified documents to China.
The Treasury said it was notified on December 8 by BeyondTrust, a company that provides identity access and remote support tech for large organizations and government departments, that hackers had “gained access to a key used by the vendor” for providing remote access technical support to Treasury employees. BeyondTrust disclosed the incident at the time, but did not say how the key was obtained.
APT29 aka Midnight Blizzard recently attempted to phish thousands of people. Building on work by CERT-UA, Amazon recently identified internet domains abused by APT29, a group widely attributed to Russia’s Foreign Intelligence Service (SVR). In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at […]
The EU issued a statement strongly condemning the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.
Czechia jointly with Germany, the European Union, NATO and international partners strongly condemns activities of the Russian state-controlled actor APT28, who has been conducting a long-term cyber espionage campaign in European countries. APT28 is associated with Russian military intelligence service GRU.
APT44 is a threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations.
Today, Microsoft’s Digital Threat Analysis Center (DTAC) is attributing a recent influence operation targeting the satirical French magazine Charlie Hebdo
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
Updates on security incident
Mandiant attributes the ransomware attack against the Albanian government network in July of 2022 to an Iranian threat actor.
Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors.
Si les sanctions économiques contre la Russie ont un impact significatif, il en est autrement de celles imposées dans le domaine cyber.
An infamous ransomware group with potential ties to Russian intelligence and known for attacking health care providers and hundreds of other targets posted a warning Friday saying it was “officially announcing a full support of Russian government.”
Un ex-officier de la CIA évoque les risques et avantages de la stratégie américaine de divulguer des informations brutes du Renseignement pour faire pression sur la Russie
The White House rapidly gathered evidence and blamed Russia for a cyberattack against Ukraine, the latest sign that cyber attribution is an increasingly crucial tool in the American arsenal.
