Medusa Ransomware Attack Campaign

The North Korea-linked threat actor known as Lazarus Group, also tracked as Diamond Sleet and Pompilus, has been observed deploying Medusa ransomware in an attack against an unnamed organization in the Middle East. Security researchers further identified an unsuccessful intrusion attempt by the same actors targeting a healthcare organization in the United States.

Medusa operates under a ransomware-as-a-service (RaaS) model and was launched in 2023 by a cybercrime group identified as Spearwing. Since its emergence, the operation has claimed responsibility for more than 366 attacks. Review of the Medusa leak portal indicates that, beginning in November 2025, four U.S.-based healthcare and nonprofit entities were listed as victims. These included a mental health nonprofit and an educational institution serving autistic children. It remains unclear whether all incidents were directly attributed to North Korean operatives or if other Medusa affiliates were responsible for some intrusions. During that period, the average ransom demand stood at approximately $260,000.

A Pattern of Ransomware Evolution Within North Korean Operations

The use of ransomware by North Korean cyber units is well established. As early as 2021, a Lazarus sub-cluster known as Andariel (also referred to as Stonefly) conducted attacks across South Korea, Japan, and the United States using proprietary ransomware families such as SHATTEREDGLASS, Maui, and H0lyGh0st.

In October 2024, the group was linked to a deployment of Play ransomware, signaling a strategic pivot toward the use of commercially available ransomware rather than exclusively relying on custom-built payloads.

This transition is not isolated to Andariel. Another North Korean threat actor, Moonstone Sleet, previously associated with the custom FakePenny ransomware, was reported to have targeted South Korean financial institutions using Qilin ransomware. Collectively, these developments suggest a broader tactical adjustment in which North Korean operators increasingly function as affiliates within established RaaS ecosystems instead of maintaining wholly proprietary ransomware toolchains.

Operational Toolset Supporting the Medusa Campaign

The Medusa-related activity attributed to Lazarus incorporates a blend of custom-developed malware and publicly available offensive utilities. Observed tooling includes:

• RP_Proxy, a proprietary proxy utility.
• Mimikatz, a credential-dumping tool widely used in post-exploitation activity.
• Comebacker, a Lazarus-exclusive backdoor.
• InfoHook, an information stealer previously linked to Comebacker deployments.
• BLINDINGCAN (also known as AIRDRY or ZetaNile), a remote access trojan.
• ChromeStealer, a utility designed to extract saved credentials from the Chrome browser.

Although the extortion tactics resemble earlier Andariel operations, current activity has not been conclusively attributed to a specific Lazarus sub-group.

Strategic Implications: Pragmatism Over Proprietary Development

The adoption of ransomware variants such as Medusa and Qilin reflects operational pragmatism. Developing and maintaining custom ransomware families requires substantial resources, testing, and infrastructure. Leveraging established RaaS platforms provides immediate access to mature encryption capabilities, operational support, and proven monetization mechanisms. Affiliate fee structures may be viewed as a reasonable trade-off when weighed against development and maintenance costs.

Persistent and Unrestrained Targeting

The shift toward off-the-shelf ransomware further underscores North Korea’s sustained engagement in financially motivated cybercrime. Target selection patterns indicate minimal restraint, with organizations in the United States, including healthcare entities, falling within scope. While some criminal groups publicly claim to avoid healthcare targets to mitigate reputational fallout, no comparable limitation appears evident in Lazarus-linked operations.