• Lazarus Group Uses Medusa Ransomware in Middle East and U.S. • Healthcare Attacks The North Korea-linkedLazarus Group(aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team. • Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S.Medusais a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. • The group has claimed more than 366 attacks to date. • “Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. • since the beginning of November 2025,” the companysaidin a report shared with The Hacker News.

Article Summaries:

  • North‑Korean hackers linked to the Lazarus Group have begun using the Medusa ransomware‑as‑a‑service platform in new attacks. A Symantec/Carbon Black report notes an unnamed Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched by Spearwing in 2023, has already been deployed in over 366 incidents, including recent attacks on U.S. healthcare and non‑profit entities with an average ransom demand of $260,000. The shift to off‑the‑shelf ransomware, rather than custom tools, suggests a pragmatic move toward established RaaS affiliates. The campaign also employs a mix of credential‑dumping and backdoor utilities such as Mimikatz, Comebacker, and ChromeStealer.
  • North Korea‑linked Lazarus Group has shifted to using the Medusa ransomware‑as‑a‑service platform in recent attacks. According to Symantec and Carbon Black, the group targeted an unnamed Middle Eastern entity and attempted a breach of a U.S. healthcare organization, though the latter was unsuccessful. Medusa, launched by Spearwing in 2023, has been used in over 366 attacks, with recent U.S. incidents against four healthcare and nonprofit organizations demanding an average $260,000 ransom. The campaign also employed tools such as RP_Proxy, Mimikatz, and ChromeStealer. Analysts view the move as a pragmatic shift to established RaaS rather than developing custom malware.

Sources: