The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
“Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.
“Victims included a non-profit in the mental health sector and an educational facility for autistic children. It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks. The average ransom demand in that period was $260,000.”
The use of ransomware by North Korean hacking groups is not without precedent. As far back as 2021, a Lazarus sub-cluster referred to as Andariel (aka Stonefly) was observed striking entities in South Korea, Japan, and the U.S. with bespoke ransomware families like SHATTEREDGLASS, Maui, and H0lyGh0st.
Then, in October 2024, the hacking crew was also linked to a Play ransomware attack, marking the transition to an off-the-shelf locker to encrypt victim systems and demand a ransom.
That said, Andariel is not alone in shifting from custom ransomware to an already available variant. Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
These changes possibly signal a tactical shift among North Korean hacking groups where they are operating as affiliates for established RaaS groups rather than developing their tools, the company told The Hacker News.
“The motivation is most likely pragmatism,” Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, said. “Why go to the trouble of developing your own ransomware payload when you can use a tried-and-tested threat such as Medusa or Qilin? They may have decided that the benefits outweigh the costs in terms of affiliate fees.”
The Lazarus Group’s Medusa ransomware campaign includes the use of various tools –
- RP_Proxy, a custom proxy utility
- Mimikatz, a publicly available credential dumping program
- Comebacker, a custom backdoor exclusively used by the threat actor
- InfoHook, an information stealer previously identified as used in conjunction with Comebacker
- BLINDINGCAN (aka AIRDRY or ZetaNile), a remote access…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
