Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks
Source: The Hacker News
Lazarus Group Uses Medusa Ransomware in Middle East Attack
Ravie Lakshmanan
Feb 24, 2026 – Threat Intelligence / Healthcare
The North Korea‑linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
Broadcom’s threat‑intelligence division also identified the same actors mounting an unsuccessful attack against a U.S. healthcare organization. Medusa is a ransomware‑as‑a‑service (RaaS) operation launched by the cyber‑crime group Spearwing in 2023. The group has claimed more than 366 attacks to date.
“Analysis of the Medusa leak site reveals attacks against four healthcare and non‑profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.
Victims included a non‑profit in the mental‑health sector and an educational facility for autistic children. It is unknown whether all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of the attacks. The average ransom demand in that period was $260,000.
The use of ransomware by North Korean hacking groups is not without precedent. As far back as 2021, a Lazarus sub‑cluster referred to as Andariel (aka Stonefly) was observed striking entities in South Korea, Japan, and the U.S. with bespoke ransomware families such as SHATTEREDGLASS and Maui.
In October 2024, the crew was also linked to a Play ransomware attack, marking a transition to an off‑the‑shelf locker to encrypt victim systems and demand a ransom.
Andariel is not alone in shifting from custom ransomware to an already‑available variant. Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
These changes possibly signal a tactical shift among North Korean hacking groups, where they operate as affiliates for established RaaS groups rather than developing their own tools, the company told The Hacker News.
“The motivation is most likely pragmatism,” said Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team. “Why go to the trouble of developing your own ransomware payload when you can use a tried‑and‑tested threat such as Medusa or Qilin? They may have decided that the benefits outweigh the costs in terms of affiliate fees.”
Tools used in the Lazarus‑Group Medusa campaign
- RP_Proxy – a custom proxy utility
- Mimikatz – a publicly available credential‑dumping program
- Comebacker – a custom backdoor used exclusively by the threat actor
- InfoHook – an information stealer previously identified in conjunction with Comebacker
- BLINDINGCAN (aka AIRDRY or ZetaNile) – a remote‑access trojan
- ChromeStealer – a tool for extracting stored passwords from the Chrome browser
The activity has not been tied to any specific Lazarus sub‑group, despite the fact that the extortion attacks mirror previous Andariel operations.
“The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated,” the company said. “North Korean actors appear to have few scruples about targeting organizations in the U.S. While some cyber‑crime outfits claim to steer clear of targeting healthcare organizations due to reputational damage, Lazarus doesn’t seem to be constrained in any way.”
Further Reading
Found this article interesting? Follow us on:
- Google News
- Twitter (link placeholder – replace with actual handle)
[Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.