Threat Research

Gamaredon Lazarus Joint Operations

Securonix
Gamaredon Lazarus Joint Operations

Gen researchers discovered evidence of infrastructure overlap linking Russia-aligned Gamaredon and North Korea’s Lazarus, with a shared IP (144[.]172[.]112[.]106) hosting an obfuscated InvisibleFerret payload. This overlap, plus other reused IPs across North Korean groups, suggests possible cross-country and intra-national APT cooperation that could enable operational synergy and broaden offensive capabilities. #Gamaredon #Lazarus

Keypoints

  • Gen detected a shared IP (144[.]172[.]112[.]106) linked to both Gamaredon C2 tracking and an obfuscated Lazarus payload (InvisibleFerret, SHA256 listed).
  • The same server structure (http://144[.]172[.]112[.]106/payload/99/81) matched previous Lazarus ContagiousInterview campaigns, indicating identical delivery patterns.
  • Temporal proximity of events and identical hosting patterns indicate probable infrastructure reuse with moderate confidence of operational collaboration between Gamaredon and Lazarus.
  • Additional infrastructure reuse was observed within national ecosystems, including an IP (216[.]219[.]87[.]41) reused by Lazarus and Kimsuky, and a DoNot payload that later executed a SideWinder loader.
  • If confirmed, Russian–North Korean cyber collaboration would mark an unprecedented cross-country APT partnership with strategic and financial implications.
  • Defensive implications include the need for enhanced infrastructure correlation, intelligence sharing, and layered detection to address multi-actor resource sharing.

MITRE Techniques

  • [T1102 ] Web Service – Gamaredon C2 tracking used Telegram and Telegraph channels for command-and-control (‘tracking Gamaredon’s Command-and-Control (C2) servers via known Telegram and Telegraph channels’)
  • [T1071 ] Application Layer Protocol – HTTP used to host and deliver payloads from the shared server (‘http://144[.]172[.]112[.]106/payload/99/81’)
  • [T1105 ] Ingress Tool Transfer – Malware payloads (InvisibleFerret) were hosted and transferred from an external server (‘hosting an obfuscated version of InvisibleFerret (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d)’)
  • [T1027 ] Obfuscated Files or Information – Lazarus delivered an obfuscated payload to evade detection (‘obfuscated version of InvisibleFerret (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d)’)
  • [T1566 ] Phishing – Lazarus’ ContagiousInterview used recruitment lures to deliver payloads to job seekers (‘targeted job seekers with fake recruitment messages’)
  • [T1583 ] Acquire Infrastructure – Reuse and sharing of IP addresses and hosting infrastructure suggests actors acquired or shared infrastructure (‘blocked an IP address: 144[.]172[.]112[.]106’ and ‘IP address (216[.]219[.]87[.]41) later reappeared in Kimsuky-linked payloads’)
  • [T1204 ] User Execution – Campaigns relied on user interaction with lures to execute delivered payloads (e.g., ContagiousInterview recruitment messages leading to payload execution) (‘targeted job seekers with fake recruitment messages’)

Indicators of Compromise

  • [IP Address ] shared hosting and C2 infrastructure – 144[.]172[.]112[.]106 (Gamaredon/Lazarus overlap), 216[.]219[.]87[.]41 (Lazarus/Kimsuky reuse)
  • [File hash ] obfuscated and payload hashes – 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d (InvisibleFerret SHA256), cce27340fd6f32d96c65b7b1034c65d5026d7d0b96c80bcf31e40ab4b8834bcd (Kimsuky-linked), and 3 more hashes
  • [URL ] payload delivery path – http://144[.]172[.]112[.]106/payload/99/81 (Lazarus/ContagiousInterview delivery structure)
  • [Malware/Campaign ] named payloads and campaigns – InvisibleFerret (Lazarus attribution), ContagiousInterview (Lazarus campaign targeting job seekers)

Read more: https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025