North Korean Lazarus Group Now Working With Medusa Ransomware
North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.
AI Analysis
Technical Summary
The Lazarus Group, a North Korean state-sponsored threat actor, has integrated Medusa ransomware into its extortion campaigns, particularly targeting the U.S. healthcare sector and a Middle Eastern organization. Medusa ransomware, introduced in 2023 as a ransomware-as-a-service (RaaS), allows affiliates to deploy ransomware payloads for profit-sharing. The Stonefly sub-group within Lazarus is known for leveraging ransomware to fund espionage and other malicious operations. The campaign utilizes a suite of tools including Comebacker (likely a backdoor or persistence mechanism), Blindingcan (a remote access tool), ChromeStealer (credential theft malware targeting browsers), and RP_Proxy (proxy tool for network obfuscation). These tools facilitate initial access, credential harvesting, lateral movement, and data exfiltration before deploying Medusa ransomware to encrypt victim data and demand ransom. The attacks bear similarities to prior Stonefly operations but the exact sub-group attribution is unclear. The campaign demonstrates advanced tactics, techniques, and procedures (TTPs) consistent with sophisticated state-backed actors, including use of credential dumping (Mimikatz), privilege escalation, and persistence mechanisms. Despite no known public exploits for Medusa ransomware, the threat is significant due to the critical nature of targeted sectors and the potential for operational disruption and data compromise. The campaign continues despite international law enforcement efforts, indicating resilience and ongoing funding for North Korean cyber operations.
Potential Impact
This threat poses significant risks to organizations, especially in the healthcare sector, where disruption can directly impact patient care and safety. Successful ransomware deployment can lead to data encryption, operational downtime, and potential data breaches exposing sensitive patient information. The use of credential theft and lateral movement tools increases the likelihood of widespread network compromise, escalating recovery costs and reputational damage. For healthcare providers, this can mean delayed treatments, regulatory penalties, and loss of trust. The extortion component also risks financial loss through ransom payments, which may fund further malicious activities including espionage. The involvement of a state-sponsored actor increases the threat's persistence and sophistication, making mitigation and incident response more challenging. Organizations worldwide with similar infrastructure or geopolitical ties to North Korea may also be at risk, especially those in critical infrastructure sectors.
Mitigation Recommendations
Organizations should implement multi-layered defenses tailored to detect and disrupt the specific TTPs used by Lazarus Group and Medusa ransomware affiliates. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying tools like Comebacker, Blindingcan, and ChromeStealer. Network segmentation and strict access controls can limit lateral movement. Regular credential audits and implementation of multi-factor authentication (MFA) reduce the risk of credential theft exploitation. Monitoring for unusual proxy or network traffic patterns can help detect RP_Proxy usage. Incident response plans should include ransomware-specific playbooks emphasizing rapid isolation and recovery. Organizations must ensure timely patching of vulnerabilities to prevent initial access via exploits, even though no known public exploits exist for Medusa itself. Threat hunting focused on indicators of compromise (IOCs) associated with Lazarus and Stonefly sub-group activities is recommended. Sharing threat intelligence with sector-specific Information Sharing and Analysis Centers (ISACs) enhances collective defense. Finally, offline and tested backups are critical to recovery without paying ransom.
Affected Countries
United States, South Korea, United Arab Emirates, United Kingdom, Canada, Australia, Germany, Japan, Israel, Saudi Arabia
Indicators of Compromise
- hash: 9acfd35188637ac257b56f7bf0c53b0c
- hash: c14935ba8c6abdfa6202df446e8136022f82731e
- hash: 0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120
- hash: 15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
- hash: 16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a
- hash: 18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11
- hash: 202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d
- hash: 313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3
- hash: 35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7
- hash: 3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763
- hash: 3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb
- hash: 416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6
- hash: 4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b
- hash: 52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d
- hash: 55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07
- hash: 60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba
- hash: 60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e
- hash: 61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0
- hash: 61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40
- hash: 63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8
- hash: 6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6
- hash: 6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046
- hash: 6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d
- hash: 7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081
- hash: 7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc
- hash: 84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4
- hash: 8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a
- hash: 918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8
- hash: 932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991
- hash: 9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9
- hash: a12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef
- hash: a55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31
- hash: a670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171
- hash: a957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1
- hash: ab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6
- hash: b42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568
- hash: b8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51
- hash: bedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f
- hash: bf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57
- hash: bf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5
- hash: c69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad
- hash: ce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990
- hash: cf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389
- hash: cfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c
- hash: d80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3
- hash: db98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791
- hash: df1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda
- hash: e24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc
- hash: f0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19
- hash: fdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45
- ip: 23.27.124.228
- ip: 23.27.140.135
- ip: 23.27.140.228
- ip: 23.27.140.49
- domain: amazonfiso.com
- domain: human-check.com
- domain: illycafe.my
- domain: illycoffee.my
- domain: markethubuk.com
- domain: sictradingc.com
- domain: trustpdfs.com
- domain: zypras.com
North Korean Lazarus Group Now Working With Medusa Ransomware
Description
North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.
AI-Powered Analysis
Technical Analysis
The Lazarus Group, a North Korean state-sponsored threat actor, has integrated Medusa ransomware into its extortion campaigns, particularly targeting the U.S. healthcare sector and a Middle Eastern organization. Medusa ransomware, introduced in 2023 as a ransomware-as-a-service (RaaS), allows affiliates to deploy ransomware payloads for profit-sharing. The Stonefly sub-group within Lazarus is known for leveraging ransomware to fund espionage and other malicious operations. The campaign utilizes a suite of tools including Comebacker (likely a backdoor or persistence mechanism), Blindingcan (a remote access tool), ChromeStealer (credential theft malware targeting browsers), and RP_Proxy (proxy tool for network obfuscation). These tools facilitate initial access, credential harvesting, lateral movement, and data exfiltration before deploying Medusa ransomware to encrypt victim data and demand ransom. The attacks bear similarities to prior Stonefly operations but the exact sub-group attribution is unclear. The campaign demonstrates advanced tactics, techniques, and procedures (TTPs) consistent with sophisticated state-backed actors, including use of credential dumping (Mimikatz), privilege escalation, and persistence mechanisms. Despite no known public exploits for Medusa ransomware, the threat is significant due to the critical nature of targeted sectors and the potential for operational disruption and data compromise. The campaign continues despite international law enforcement efforts, indicating resilience and ongoing funding for North Korean cyber operations.
Potential Impact
This threat poses significant risks to organizations, especially in the healthcare sector, where disruption can directly impact patient care and safety. Successful ransomware deployment can lead to data encryption, operational downtime, and potential data breaches exposing sensitive patient information. The use of credential theft and lateral movement tools increases the likelihood of widespread network compromise, escalating recovery costs and reputational damage. For healthcare providers, this can mean delayed treatments, regulatory penalties, and loss of trust. The extortion component also risks financial loss through ransom payments, which may fund further malicious activities including espionage. The involvement of a state-sponsored actor increases the threat's persistence and sophistication, making mitigation and incident response more challenging. Organizations worldwide with similar infrastructure or geopolitical ties to North Korea may also be at risk, especially those in critical infrastructure sectors.
Mitigation Recommendations
Organizations should implement multi-layered defenses tailored to detect and disrupt the specific TTPs used by Lazarus Group and Medusa ransomware affiliates. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying tools like Comebacker, Blindingcan, and ChromeStealer. Network segmentation and strict access controls can limit lateral movement. Regular credential audits and implementation of multi-factor authentication (MFA) reduce the risk of credential theft exploitation. Monitoring for unusual proxy or network traffic patterns can help detect RP_Proxy usage. Incident response plans should include ransomware-specific playbooks emphasizing rapid isolation and recovery. Organizations must ensure timely patching of vulnerabilities to prevent initial access via exploits, even though no known public exploits exist for Medusa itself. Threat hunting focused on indicators of compromise (IOCs) associated with Lazarus and Stonefly sub-group activities is recommended. Sharing threat intelligence with sector-specific Information Sharing and Analysis Centers (ISACs) enhances collective defense. Finally, offline and tested backups are critical to recovery without paying ransom.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/blog-post/lazarus-medusa-ransomware"]
- Adversary
- Lazarus Group
- Pulse Id
- 699d9c44cde3077f50063a24
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9acfd35188637ac257b56f7bf0c53b0c | — | |
hashc14935ba8c6abdfa6202df446e8136022f82731e | — | |
hash0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 | — | |
hash15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 | — | |
hash16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a | — | |
hash18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11 | — | |
hash202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d | — | |
hash313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3 | — | |
hash35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7 | — | |
hash3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763 | — | |
hash3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb | — | |
hash416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6 | — | |
hash4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b | — | |
hash52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d | — | |
hash55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07 | — | |
hash60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba | — | |
hash60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e | — | |
hash61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0 | — | |
hash61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40 | — | |
hash63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8 | — | |
hash6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6 | — | |
hash6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046 | — | |
hash6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d | — | |
hash7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081 | — | |
hash7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc | — | |
hash84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4 | — | |
hash8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a | — | |
hash918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8 | — | |
hash932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991 | — | |
hash9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9 | — | |
hasha12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef | — | |
hasha55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31 | — | |
hasha670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171 | — | |
hasha957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1 | — | |
hashab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6 | — | |
hashb42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568 | — | |
hashb8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51 | — | |
hashbedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f | — | |
hashbf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57 | — | |
hashbf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5 | — | |
hashc69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad | — | |
hashce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990 | — | |
hashcf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389 | — | |
hashcfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c | — | |
hashd80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3 | — | |
hashdb98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791 | — | |
hashdf1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda | — | |
hashe24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc | — | |
hashf0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19 | — | |
hashfdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip23.27.124.228 | — | |
ip23.27.140.135 | — | |
ip23.27.140.228 | — | |
ip23.27.140.49 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainamazonfiso.com | — | |
domainhuman-check.com | — | |
domainillycafe.my | — | |
domainillycoffee.my | — | |
domainmarkethubuk.com | — | |
domainsictradingc.com | — | |
domaintrustpdfs.com | — | |
domainzypras.com | — |
Threat ID: 699e0e19be58cf853b27f362
Added to database: 2/24/2026, 8:46:17 PM
Last enriched: 2/24/2026, 8:46:56 PM
Last updated: 2/24/2026, 10:20:11 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Developer-targeting campaign using malicious Next.js repositories
MediumMoonrise RAT: A New Low-Detection Threat with High-Cost Consequences
MediumFake Zoom meeting 'update' silently installs surveillance software
MediumMalicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
MediumFour Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.