A technical report by Broadcom’s Symantec and Carbon Black Threat Hunter Team reported that the North Korea linked Lazarus Group used Medusa ransomware in an attack against an unnamed entity in the Middle East and attempted an unsuccessful strike against a U.S. healthcare organization.
KEY FACTS
- Incident Lazarus Group deployed Medusa ransomware against an unnamed Middle East entity
- Attempted U.S. strike An unsuccessful intrusion targeted a U.S. healthcare organization
- Ransomware Medusa is a RaaS launched by Spearwing in 2023 with hundreds of claimed attacks
- Tools Campaign used RP_Proxy, Comebacker, InfoHook, BLINDINGCAN, ChromeStealer and Mimikatz
Medusa is a ransomware as a service operation launched by Spearwing in 2023 and has claimed more than 366 attacks.
The campaign combined custom utilities and public tools. Observed tooling includes the RP_Proxy proxy, the Comebacker backdoor, the InfoHook information stealer, the BLINDINGCAN remote access trojan, ChromeStealer and the Mimikatz credential dumper.
The Medusa leak site shows attacks against four U.S. healthcare and non profit organizations since November 2025. Reported victims include a mental health non profit and an educational facility for autistic children. The average ransom demand in that period was $260,000.
It is not tied to a specific Lazarus sub group and analysts note a pattern of North Korea linked actors using off the shelf ransomware rather than bespoke families. Motive and full attribution for each Medusa victim remain unclear.
WHY IT MATTERS
The use of established RaaS by state linked actors can lower operational barriers to large scale extortion and broaden potential targets. Targeting of healthcare and non profit organizations increases the risk of service disruption and reputational harm.