{"id":43883,"date":"2026-02-24T17:54:27","date_gmt":"2026-02-24T09:54:27","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/24\/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks\/"},"modified":"2026-02-24T17:54:27","modified_gmt":"2026-02-24T09:54:27","slug":"north-korean-lazarus-group-linked-to-medusa-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/24\/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks\/","title":{"rendered":"North Korean Lazarus group linked to Medusa ransomware attacks"},"content":{"rendered":"\n<p style=\"text-align:center\"><img loading=\"lazy\" decoding=\"async\" height=\"900\" src=\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2022\/05\/03\/North_Korea.jpg\" width=\"1600\" alt=\"North Korean Lazarus group linked to Medusa ransomware attacks\"><\/p>\n<p>North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware.<\/p>\n<p>The Medusa ransomware-as-a-service (RaaS) operation&nbsp;emerged in January 2021, and by February 2025, it <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-medusa-ransomware-hit-over-300-critical-infrastructure-orgs\/\" target=\"_blank\" rel=\"nofollow noopener\">impacted over 300 organizations<\/a> in various critical infrastructure sectors. Since then, the gang claimed at least another 80 victims.<\/p>\n<p>North Korean threat actors have previously been linked to other ransomware strains such as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-links-holy-ghost-ransomware-operation-to-north-korean-hackers\/\" target=\"_blank\" rel=\"nofollow noopener\">HolyGhost<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-govt-hackers-linked-to-play-ransomware-attack\/\" target=\"_blank\" rel=\"nofollow noopener\">PLAY<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/maui-ransomware-operation-linked-to-north-korean-andariel-hackers\/\" target=\"_blank\" rel=\"nofollow noopener\">Maui<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-north-korean-hackers-now-deploying-qilin-ransomware\/\" target=\"_blank\" rel=\"nofollow noopener\">Qilin<\/a>, as well as&nbsp;<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-ransomware-strains-linked-to-north-korean-govt-hackers\/\" target=\"_blank\" rel=\"nofollow noopener\">other malware families<\/a>. However, this is the first time security researchers have&nbsp;associated the actor with&nbsp;Medusa.<\/p>\n<div align=\"center\" style=\"width:98%; margin:0 auto; text-align:center; padding:4px; background:#f0f0f0; border:1px solid #ccc; border-radius:6px;\">  <a href=\"https:\/\/www.wiz.io\/lp\/ai-security-board-report-template?utm_source=bleepingcomputer&amp;utm_medium=display&amp;utm_campaign=FY26Q4_INB_FORM_AI-Security-Board-Report-Template&amp;sfcid=701Vh00000Wn7E1IAJ&amp;utm_term=FY27-bleepingcomputer-article-970x250&amp;utm_content=AI-Board-Report\" rel=\"nofollow noopener\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/ai-security-board-report-template.jpg\" style=\"margin-top: 0px;\" alt=\"North Korean Lazarus group linked to Medusa ransomware attacks\"><\/a> <\/div>\n<p>In a report today, enterprise cybersecurity company Symantec says that a Lazarus subgroup, possibly Andariel\/Stonefly,&nbsp;is&nbsp;now using Medusa in financially-motivated cyberattacks targeting U.S. healthcare providers.<\/p>\n<p>According to the researchers, the toolset used in these attacks also shows some association with Diamond Sleet, another North Korean group that typically targets media, defense, and IT industries.<\/p>\n<p>However, some of the utilities seen in the Medusa ransomware attacks are commodity tools:<\/p>\n<ul>\n<li>Comebacker &ndash; Diamond Sleet-linked backdoor\/loader (seen used by Diamond Sleet)<\/li>\n<li>Blindingcan &ndash; Remote access trojan<\/li>\n<li>ChromeStealer &ndash; Chrome credential extractor<\/li>\n<li>Infohook &ndash; Information stealer<\/li>\n<li>Mimikatz &ndash; Credential dumping tool<\/li>\n<li>RP_Proxy &ndash; Custom proxy tool<\/li>\n<li>Curl &ndash; Data transfer tool<\/li>\n<\/ul>\n<p>The researchers comment that no sectors are off-limits for North Korean hackers, who keep getting involved in cybercrime for financial gain.<\/p>\n<p>&ldquo;While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the&nbsp;reputational damage it may attract, Lazaurs doesn&rsquo;t seem to be in any way constrained,&rdquo; Symantec researchers say.<\/p>\n<p>Medusa targeted multiple healthcare and non-profit organizations in the U.S., as the gang&#8217;s data leak site lists four such victims since the beginning of November 2025, among them an educational facility for autistic children.<\/p>\n<p>Not all these Medusa attacks can be confidently attributed to Lazarus hackers, though. Medusa can demand ransoms as large as $15 million, but Symantec researchers say that the average is around $260,000.<\/p>\n<p>Stolen funds are used to support espionage operations against entities in the defense, technology, and government sectors in the U.S., Taiwan, and South Korea.<\/p>\n<p>Symantec has provided a set of indicators of compromise (IoCs) in its report, which include network infrastructure data and hashes for the malware used in attacks.<\/p>\n<style> .ia_ad {     background-color: #f0f6ff;     width: 95%;     max-width: 800px;     margin: 15px auto;     border-radius: 8px;     border: 1px solid #d6ddee;     display: flex;     align-items: stretch;     padding: 0;     overflow: hidden; }  .ia_lef {     flex: 1;     max-width: 200px;     height: auto;     display: flex;     align-items: stretch; }  .ia_lef a {     display: flex;     width: 100%;     height: 100%; }   .ia_lef a img {     width: 100%;     height: 100%;          border-radius: 8px 0 0 8px;     margin: 0;     display: block; }  .ia_rig {     flex: 2;     padding: 10px;     display: flex;     flex-direction: column;     justify-content: center; }  .ia_rig h2 {     font-size: 17px !important;     font-weight: 700;     color: #333;     line-height: 1.4;     font-family: Georgia, \"Times New Roman\", Times, serif;     margin: 0 0 14px 0; }  .ia_rig p {     font-weight: bold;     font-size: 14px;     margin: 0 0 clamp(6px, 2vw, 14px) 0; }  .ia_button {     background-color: #FFF;     border: 1px solid #3b59aa;     color: black;     text-align: center;     text-decoration: none;     border-radius: 8px;     display: inline-block;     font-size: 16px;     font-weight: bold;     cursor: pointer;     padding: 10px 20px;     width: fit-content; }  .ia_button a {     text-decoration: none;     color: inherit;     display: block; }  @media (max-width: 600px) {     .ia_ad {         flex-direction: column;         align-items: center;     }      .ia_lef {         max-width: 100%;     }      .ia_lef a img {         border-radius: 8px 8px 0 0;     }       .ia_rig {         padding: 15px;         width: 100%;     }      .ia_button {         width: 100%; \tmargin: 0px auto;     } } <\/style>\n<div>\n<div>         <a href=\"https:\/\/www.tines.com\/access\/guide\/the-future-of-it-infrastructure\/?utm_source=BleepingComputer&#038;utm_medium=paid_media&#038;utm_content=ROS-inarticlebanner-0102\" target=\"_blank\" rel=\"noopener sponsored\">             <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/t\/tines-in-art-square.jpg\" alt=\"North Korean Lazarus group linked to Medusa ransomware attacks\">         <\/a>     <\/div>\n<div>\n<h2><a href=\"https:\/\/www.tines.com\/access\/guide\/the-future-of-it-infrastructure\/?utm_source=BleepingComputer&#038;utm_medium=paid_media&#038;utm_content=ROS-inarticlebanner-0102\" target=\"_blank\" rel=\"noopener sponsored\">The future of IT infrastructure is here<\/a><\/h2>\n<p>Modern IT infrastructure moves faster than manual workflows can handle.<\/p>\n<p>In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.<\/p>\n<p>          <button><a href=\"https:\/\/www.tines.com\/access\/guide\/the-future-of-it-infrastructure\/?utm_source=BleepingComputer&#038;utm_medium=paid_media&#038;utm_content=ROS-inarticlebanner-0102\" target=\"_blank\" rel=\"noopener sponsored\">Get the guide<\/a><\/button>     <\/div>\n<\/p><\/div>\n<div>\n<h3>Related Articles:<\/h3>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-job-recruiters-hide-malware-in-developer-coding-challenges\/\">Fake job recruiters hide malware in developer coding challenges<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/covenant-health-says-may-data-breach-impacted-nearly-478-000-patients\/\">Covenant Health says May data breach impacted nearly 478,000 patients<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/japanese-tech-giant-advantest-hit-by-ransomware-attack\/\">Japanese tech giant Advantest hit by ransomware attack<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks\/\">CISA: BeyondTrust RCE flaw now exploited in ransomware attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/university-of-mississippi-medical-center-closes-clinics-after-ransomware-attack\/\">Mississippi medical center closes all clinics after ransomware attack<\/a><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>North Korean state-backed hackers associated with the L [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-43883","post","type-post","status-publish","format-standard","hentry","category--bleepingcomputer"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43883"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43883\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}