Joint activity between Gamaredon and Lazarus signals growing cyber coordination
A rare overlap between the Russian group Gamaredon and North Korea’s Lazarus has prompted concerns over a widening threat to European security, after analysts at Gen Digital identified shared infrastructure and matching toolsets in recent operations. Their findings, highlighted in Politico through an analysis of coordinated activity between Gamaredon and Lazarus, suggest an emerging pattern of collaboration between two state-linked actors long known for disruptive campaigns. Michal Salat, Gen Digital’s director of threat intelligence, called the discovery “unprecedented,” noting he could not recall another case of two nations jointly conducting advanced persistent threat operations.
Analysts observed that a server managed by Gamaredon, a group tied to Russia’s FSB, contained a concealed malware variant typical of Lazarus. The overlap was detected while tracking Gamaredon’s use of Telegram channels to circulate command-and-control servers. Such direct coexistence is extremely rare, as state-sponsored groups almost never host or distribute one another’s malicious code. According to the researchers, the findings point to either shared systems or intentional imitation, deepening concerns about a fusion of capabilities.
Expanding military alignment between Moscow and Pyongyang
The cybersecurity revelations coincide with an intensifying military partnership between Russia and North Korea. Pyongyang has reportedly dispatched at least 15,000 soldiers to support Russia’s war effort in Ukraine, reflecting the transformation of their relationship into a broader strategic alliance. Their cooperation now spans military, economic and cyber domains, reinforcing a joint posture that challenges regional and global stability.
This growing alignment allows both states to synchronize political decisions with operational strategies in cyberspace. The analysis from Gen Digital suggests that Moscow and Pyongyang are moving beyond parallel operations toward a new model of cyber partnership that enhances the sophistication and reach of their campaigns. With multilayered and dispersed infrastructure, attribution becomes more complex, shielding future attacks behind overlapping technical signatures.
Risks of a more complex threat landscape
A convergence between Gamaredon’s intelligence-driven operations and Lazarus’s expertise in financially motivated cybercrime raises the prospect of more advanced and large-scale attacks. Combined methods could target government networks, banks, energy systems or international organizations, enabling threats that blend espionage, financial theft and disruptive activity. For Ukraine, the implications are immediate: Gamaredon has focused on compromising Ukrainian government networks since the start of Russia’s full-scale invasion in 2022, and cooperation with Lazarus could intensify pressure on state institutions and military assets.
Western countries may face heightened financial attacks, particularly cryptocurrency theft and schemes involving fake job offers—tactics long associated with Lazarus. The merging of resources and techniques between the groups risks creating an interconnected web of cyber alliances among authoritarian regimes and isolated states, where shared tools and blended signatures make detection significantly harder.
Strengthening defence and international coordination
The prospect of deeper cooperation between state-sponsored hackers underscores the urgent need for stronger international coordination in cyber defence. Western governments and Ukraine are encouraged to expand joint monitoring centres, enhance real-time information sharing and develop rapid-response mechanisms, including targeted sanctions against companies or individuals enabling hostile cyber infrastructure. Investment in advanced APT research teams is essential to detect and neutralize threats at early stages.
For companies—particularly in the financial and energy sectors—multilayered security systems and regular staff training are becoming critical. Public awareness of Lazarus’s techniques, including fraudulent job offers and cryptocurrency schemes, can help reduce the human-factor vulnerabilities that often determine the success of cyber intrusions. As coordinated activity between Gamaredon and Lazarus evolves, effective defence will depend on a combination of institutional resilience, technological capability and informed vigilance.
