Two of the world’s most active state-linked hacking groups — Russia’s Gamaredon and North Korea’s Lazarus — appear to be sharing digital infrastructure and operational resources, according to new research released on Thursday. The findings, uncovered by cybersecurity firm Gen Digital, suggest an extraordinary level of coordination between two nations already deepening their geopolitical and military ties.
Gen Digital analysts said they identified overlapping tactics, shared servers, and evidence of cross‐use of malware tools between the groups. “The discovery is unprecedented,” said Michal Salat, the firm’s Director of Threat Intelligence. “I don’t recall two countries working together on [Advanced Persistent Threat] attacks.” APT operations refer to long-duration, highly sophisticated hacking campaigns typically conducted or supported by nation-state actors.
If confirmed, the coordination could represent a major shift in the cyber landscape, with Moscow and Pyongyang taking their strategic partnership into the digital domain.
Gamaredon — also known as Primitive Bear — is widely believed to be connected to Russia’s Federal Security Service (FSB) and has intensified its operations against Ukrainian government networks since Russia invaded Ukraine in 2022. Its campaigns are known for rapid, persistent intrusion attempts aimed primarily at gathering intelligence or enabling further Russian cyber operations.
Lazarus, meanwhile, is associated with North Korea’s primary intelligence agency and is one of the most notorious cybercrime collectives in the world. Its activities range from espionage against governments and defense industries to large-scale financial theft, particularly cryptocurrency heists that help Pyongyang evade global sanctions.
The new research shows that while tracking Gamaredon’s use of Telegram channels to share command-and-control server addresses, analysts found that at least one server used to direct Gamaredon malware was also being used by Lazarus. In a separate case, a Gamaredon-operated server was discovered hosting a concealed version of malware strongly resembling Lazarus’ tools, with code overlaps and operational signatures that closely matched Lazarus’ historical attacks.
Such cross-hosting is rare — if not unheard of — in the world of state-backed cyber operations, where groups typically guard their infrastructure and malware to avoid exposure, attribution, and operational compromise. “Nation-state hacking groups rarely, if ever, host or distribute one another’s malware,” the researchers noted.
Investigators say the findings point to three possibilities: direct cooperation between the two groups, shared access to infrastructure provided by one of the states, or one group deliberately imitating the other to cause confusion during attribution.
But Salat said the evidence leans toward collaboration: “The degree of overlap suggests they are likely sharing systems and could very well be working together.”
It is also possible that Gamaredon is studying Lazarus’ methods. Lazarus is notorious for deploying fake job-recruitment lures to bait victims and has played a central role in cryptocurrency theft, which remains a key revenue stream for isolated North Korea.
The apparent digital cooperation comes as Moscow and Pyongyang grow closer on several fronts.
Western intelligence agencies believe North Korea has sent thousands of military personnel to Russia to support the war in Ukraine — claims Moscow denies. Ukrainian authorities last month accused North Korean soldiers of flying drones along the Russia–Ukraine border, while Ukraine’s military intelligence service recently said Pyongyang plans to dispatch thousands of laborers to Russian drone factories.
The two governments have also expanded weapons trade and military coordination, with North Korea supplying artillery and ballistic missiles to Russian forces, according to US and South Korean officials.
Against that backdrop, analysts say the emergence of a Russian–North Korean cyber nexus should not come as a surprise — but the operational depth implied by shared infrastructure marks a striking new frontier.
If verified, the partnership could strengthen both countries’ digital strike capabilities: Russia gains access to a group skilled in global financial theft and covert operations, while North Korea benefits from Russia’s technological expertise and expansive cyber battlefield experience in Ukraine.
