The North Korean-linked Lazarus Group (also known as Diamond Sleet and Pompilus) was observed using Medusa ransomware in attacks targeting anonymous organizations in the Middle East, according to a new report by Symantec and the Carbon Black Threat Hunters team.
Broadcom’s threat intelligence division also announced that it has identified a failed attack by the same attackers that is launching attacks against U.S. healthcare organizations. Medusa is a ransomware-as-a-service (RaaS) operation launched in 2023 by the cybercrime group known as Spearwing. The group claims to have carried out over 366 attacks to date.
“Analysis of the Medusa leaked site reveals attacks against four U.S. healthcare organizations and non-profit organizations since early November 2025,” the company said in a report shared with Hacker News.
“Victims included mental health nonprofits and educational facilities for children with autism. It is unclear whether all of these victims were targeted by North Korean operatives or whether other Medusa-related companies were involved in some of these attacks. The average ransom demand at the time was $260,000.”
The use of ransomware by North Korean hacker groups is not unprecedented. Back in 2021, a Lazarus subcluster called Andariel (also known as Stonefly) was observed attacking organizations in South Korea, Japan, and the United States with a bespoke ransomware family including SHATTEREDGLASS, Maui, and H0lyGh0st.
Then, in October 2024, Hacking Team was also found to be responsible for the Play ransomware attack, and began a transition to ready-made lockers that encrypted victims’ systems and demanded a ransom.
That said, Andariel is not the only ransomware to migrate from custom ransomware to already available variants. Last year, Bitdefender revealed that another North Korean threat actor previously tracked as Moonstone Sleet, which dropped a custom ransomware family called FakePenny, likely targeted several South Korean financial companies with Qilin ransomware.
These changes may indicate a tactical shift, with North Korean hacker groups operating as affiliates of existing RaaS groups rather than developing tools, the company told Hacker News.
“The motive is probably pragmatism,” said Dick O’Brien, chief intelligence analyst for Symantec and Carbon Black’s Threat Hunter team. “Why go to the trouble of developing your own ransomware payload when you can use proven threats like Medusa or Qilin? They may have decided that the benefits outweigh the costs in terms of affiliate fees.”
Lazarus Group’s Medusa ransomware campaign includes the use of a variety of tools.
RP_Proxy, the custom proxy utility Mimikatz, the publicly available credential dumping program Comebacker, the custom backdoor InfoHook used exclusively by threat actors, the information stealer BLINDINGCAN (aka AIRDRY or ZetaNile) previously identified to be used in conjunction with Comebacker, the remote access Trojan ChromeStealer, a tool to extract saved passwords from the Chrome browser
Despite the fact that this extortion attack mirrors previous Andariel attacks, this activity is not associated with any specific Lazarus subgroup.
“The switch to Medusa shows that North Korea’s voracious involvement in cybercrime continues unabated,” the company said. “North Korean officials appear to have little hesitation in targeting U.S. organizations. Some cybercrime organizations claim they avoid targeting medical institutions because of the potential reputational damage, but Mr. Lazarus appears to have no restraints.”
Source link
