North Korean state-backed Lazarus actors have deployed the Medusa ransomware and continued extortion attempts against U.S. healthcare and other organizations, with Symantec and Carbon Black linking Medusa deployments and leak-site postings to recent incidents. Symantec published tool- and file-based IOCs (including hashes for Medusa and multiple loaders/backdoors) and network indicators while analysts noted Lazarus sub-groups (Stonefly/Andariel) using a broad toolset to support extortion and intelligence funding. #Medusa #Lazarus
Keypoints
- Symantec and Carbon Black found evidence of North Korean (Lazarus) actors using Medusa ransomware in attacks, including one in the Middle East and an unsuccessful attack against a U.S. healthcare organization.
- Medusa is run by the Spearwing cybercrime group as ransomware-as-a-service (launched 2023) and has had more than 366 claimed attacks by affiliates.
- Analysis of the Medusa leak site shows at least four U.S. healthcare and non-profit victims since November 2025, including a mental-health non-profit and an educational facility for autistic children, with an average ransom demand of $260,000.
- The Lazarus sub-group Stonefly (aka Andariel) has been linked historically to extortion campaigns; a member, Rim Jong Hyok, was indicted in July 2025 and a $10M reward was offered for information.
- Observed attacker toolset includes custom and off-the-shelf tools: Comebacker (backdoor/loader), Blindingcan (RAT), ChromeStealer, Curl, Infohook, Mimikatz, and RP_Proxy (proxying tool).
- Symantec published extensive IOCs (file hashes, suspicious files, IP addresses, and domains); Symantec Endpoint products detect and block malicious files and users are referred to the Symantec Protection Bulletin for mitigations.
MITRE Techniques
- [T1486 ] Data Encrypted for Impact – Medusa was used to encrypt and extort victims as a ransomware family (‘Medusa ransomware’)
- [T1003 ] Credential Dumping – Attackers used credential-dumping tooling to harvest credentials (‘Mimikatz: A publicly available credential dumping tool.’)
- [T1574.002 ] DLL Side-Loading – Adversaries used a file for DLL sideloading to run malicious code (’16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a – File used for DLL sideloading’)
- [T1555.003 ] Credentials from Web Browsers – Browser password theft was used to obtain stored credentials (‘ChromeStealer: A tool for extracting stored passwords from the Chrome browser.’)
- [T1105 ] Ingress Tool Transfer – Loaders and backdoors were deployed to transfer and load additional tooling (‘Comebacker: A custom backdoor and loader exclusively associated with Lazarus.’)
- [T1090 ] Proxy – Command-and-control and proxying functionality was implemented via a custom proxy tool (‘RP_Proxy: A custom proxying tool.’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – curl and similar tools were used to transfer data over network protocols (‘Curl: An open-source command-line tool for transferring data using various network protocols.’)
Indicators of Compromise
- [File hashes ] Malware and loader hashes published by Symantec – 15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 (Medusa ransomware), 0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 (Comebacker), and 60 more hashes.
- [Network indicators ] C2 and infrastructure IP addresses observed – 23.27.140[.]49, 23.27.140[.]135, and 2 more IPs associated with activity.
- [Domains ] Malicious or infrastructure domains linked to campaigns and hosting – amazonfiso[.]com, human-check[.]com, and 5 more domains identified in Symantec’s indicators list.
Read more: https://www.security.com/threat-intelligence/lazarus-medusa-ransomware