North Korean Lazarus Group Now Working With Medusa Ransomware
· Published 24/02/2026 12:40 · Modified 24/02/2026 20:54
Essential information
- Published
- 24/02/2026 12:40
- Modified
- 24/02/2026 20:54
- Tags
- 2026-02-24 blindingcan chromestealer comebacker extortion healthcare infohook medusa mimikatz north korea ransomware rp_proxy stonefly
- Related entities
- 52 observables, 1 intrusion sets (apt), 20 techniques (mitre), 13 others
Description
North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (52)
23.27.140.22823.27.140.13523.27.124.22823.27.140.4918049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b1161f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca403b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763df1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcdadb98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791cf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b1811622038961c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6d80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3ab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d69cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b955cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3a12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880ac69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0adb8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51f0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c1984168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e463432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8bedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9fbf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57e24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fcce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e820139900842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120a55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31fdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45cfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08dbf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb860aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8baa957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1a670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca217160b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee66ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d90464a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c77a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081b42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e56815208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
Intrusion sets (APT) (1)
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
Techniques (MITRE) (20)
-
Process Discovery
-
OS Credential Dumping
-
Valid Accounts
-
Network Denial of Service
-
Brute Force
-
Domain Accounts
-
Process Injection
-
Phishing
-
System Network Configuration Discovery
-
Subvert Trust Controls
-
Data Encrypted for Impact
-
Remote System Discovery
-
Create or Modify System Process
-
Obfuscated Files or Information
-
Exploit Public-Facing Application
-
Create Account
-
External Remote Services
-
Remote Services
-
File and Directory Discovery
-
System Information Discovery
Others (13)
- United States of America
- Software
- Defense
- Healthcare
- Government
- markethubuk.com
- illycoffee.my
- amazonfiso.com
- trustpdfs.com
- zypras.com
- human-check.com
- illycafe.my
- sictradingc.com