North Korea linked Lazarus Group has been observed deploying Medusa ransomware in attacks targeting an unnamed organization in the Middle East and attempting to compromise a healthcare entity in the United States, according to a new report from Broadcom’s Symantec and Carbon Black Threat Hunter Team. The findings indicate a continuing evolution in the threat actor’s operational tactics, including the adoption of ransomware as a service platforms that were originally developed by financially motivated cybercrime groups.
Lazarus Group, also tracked as Diamond Sleet and Pompilus, was identified as leveraging Medusa, a ransomware as a service operation launched in 2023 by a cybercrime group known as Spearwing. Spearwing has publicly claimed responsibility for more than 366 attacks to date. Analysis of the Medusa leak site revealed four attacks targeting healthcare and non profit organizations in the United States since early November 2025. Victims included a mental health focused non profit organization and an educational institution serving autistic children. Researchers noted that it remains unclear whether all of these incidents were directly orchestrated by North Korean operators or carried out by other Medusa affiliates. During this period, the average ransom demand was approximately 260,000 dollars. Broadcom’s threat intelligence team shared the findings with The Hacker News, underscoring concerns about continued targeting of sensitive sectors.
The use of ransomware by North Korean actors is not new. As early as 2021, a Lazarus sub cluster known as Andariel, also referred to as Stonefly, targeted organizations in South Korea, Japan, and the United States using custom built ransomware families such as SHATTEREDGLASS, Maui, and H0lyGh0st. In October 2024, the group was also linked to a Play ransomware incident, reflecting a move toward off the shelf encryption tools rather than exclusively relying on internally developed malware. A similar pattern was observed in activity attributed to Moonstone Sleet, another North Korean threat actor previously associated with a custom ransomware strain called FakePenny. Research by Bitdefender suggested that Moonstone Sleet later adopted Qilin ransomware in attacks against South Korean financial institutions. These developments suggest that certain North Korean groups may be operating as affiliates within established ransomware ecosystems rather than investing resources in developing proprietary encryption payloads.
The Medusa campaign attributed to Lazarus involved a combination of custom and publicly available tools, including RP Proxy, a proprietary proxy utility, Mimikatz for credential dumping, Comebacker backdoor, InfoHook information stealer, BLINDINGCAN remote access trojan, and ChromeStealer for extracting stored browser credentials. Although the activity has not been formally linked to a specific Lazarus sub group, researchers observed similarities to previous Andariel operations. Analysts believe the shift toward ransomware as a service reflects a pragmatic calculation, as established platforms such as Medusa or Qilin provide tested infrastructure and monetization channels without the overhead of building new systems. Security experts note that North Korean operators continue to target a broad range of sectors, including healthcare, despite reputational concerns that sometimes deter other cybercrime groups. The findings highlight ongoing risks posed by state linked actors engaging in financially motivated cyber operations across global regions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
