The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
“Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.
“Victims included a non-profit in the mental health sector and an educational facility for autistic children. It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks. The average ransom demand in that period was $260,000.”
The use of ransomware by North Korean hacking groups is not without precedent. As far back as 2021, a Lazarus sub-cluster referred to as Andariel (aka Stonefly) was observed striking entities in South Korea, Japan, and the U.S. with bespoke ransomware families like SHATTEREDGLASS, Maui, and H0lyGh0st.
Then, in October 2024, the hacking crew was also linked to a Play ransomware attack, marking the transition to an off-the-shelf locker to encrypt victim systems and demand a ransom.
That said, Andariel is not alone in shifting from custom ransomware to an already available variant. Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
These changes possibly signal a tactical shift among North Korean hacking groups where they are operating as affiliates for established RaaS groups rather than developing their tools, the company told The Hacker News.
“The motivation is most likely pragmatism,” Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, said. “Why go to the trouble of developing your own ransomware payload when you can use a tried-and-tested threat such as Medusa or Qilin? They may have decided that the benefits outweigh the costs in terms of affiliate fees.”
The Lazarus Group’s Medusa ransomware campaign includes the use of various tools –
- RP_Proxy, a custom proxy utility
- Mimikatz, a publicly available credential dumping program
- Comebacker, a custom backdoor exclusively used by the threat actor
- InfoHook, an information stealer previously identified as used in conjunction with Comebacker
- BLINDINGCAN (aka AIRDRY or ZetaNile), a remote access trojan
- ChromeStealer, a tool for extracting stored passwords from the Chrome browser
The activity has not been tied to any specific Lazarus sub-group, despite the fact that the extortion attacks mirror previous Andariel attacks.
“The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated,” the company said. “North Korean actors appear to have few scruples about targeting organizations in the U.S. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained.”
