Gen researchers identified a possible operational overlap between Russia-aligned Gamaredon and North Korea's Lazarus through shared use of IP address 144.172.112.106. The server was first blocked as part of Gamaredon command-and-control tracking and, four days later, was found hosting an obfuscated InvisibleFerret payload consistent with Lazarus Contagious Interview infrastructure. The payload was served from a matching /payload/99/81 path, but the report assesses the overlap with moderate confidence because a proxy, VPN endpoint, or shared client instance cannot be ruled out. A separate case involving 216.219.87.41 reappearing across Lazarus and Kimsuky-linked payloads reinforces the defender need to correlate infrastructure across DPRK-linked and allied state activity rather than relying on single-actor attribution.