North Korea’s Lazarus Group used Medusa ransomware in an attack on an unnamed Middle East organization, researchers report.
The North Korea-linked Lazarus APT Group, also known as Diamond Sleet and Pompilus, has been spotted deploying Medusa ransomware against an unnamed organization in the Middle East, according a new report from the Symantec and Carbon Black Threat Hunter Team.
“North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families. However, the Symantec and Carbon Black Threat Hunter Team has uncovered evidence North Korean actors using Medusa in an attack on a target in the Middle East.” reads the report published by Symantec and Carbon Black Threat Hunter Team. “The same attackers also mounted an unsuccessful attack against a healthcare organization in the U.S.”
Medusa, a ransomware-as-a-service launched in 2023 and operated by the Spearwing group, allows affiliates to deploy the malware in exchange for a share of ransom payments. It has been linked to over 366 claimed attacks. Since early November 2025, its leak site has listed four U.S. healthcare and non-profit victims, including a mental health nonprofit and a school for autistic children. Average ransom demands reached $260,000.
North Korea’s Lazarus subgroup Stonefly (aka Andariel) has shifted from traditional espionage to ransomware-driven extortion in recent years. Its role became public in July 2025, when U.S. authorities indicted alleged member Rim Jong Hyok over attacks on American hospitals. Prosecutors said ransomware proceeds funded espionage targeting defense, tech, and government sectors in the U.S., Taiwan, and South Korea. Despite charges and a $10 million reward, activity continued, including financially motivated intrusions in 2024 and reported collaboration with the Play ransomware group.
In current campaigns, Lazarus deploys tools such as Comebacker, Blindingcan, ChromeStealer, Mimikatz, and other custom malware. While the Medusa attacks are attributed to Lazarus, it remains unclear which subgroup is responsible, as the toolset overlaps with groups like Pompilus.
“The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated.” concludes the report that provides Indicators of Compromise (IoCs). “North Korean actors appear to have few scruples about targeting organizations in the U.S. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lazarus Group)
