Summary: Symantec links Lazarus tooling to Medusa RaaS extortion activity observed in the Middle East and against a U.S. healthcare target.
1. Executive Summary
Broadcom/Symantec’s Threat Hunter Team reported North Korea-linked Lazarus activity using the Medusa ransomware, including a Medusa deployment observed against a Middle East target and an unsuccessful intrusion against a U.S. healthcare organisation. (security.com) The same reporting notes Medusa is operated as a ransomware-as-a-service (RaaS) and that Medusa’s leak site shows multiple healthcare and non-profit victims in the U.S. since early November 2025, with an average demand of $260,000 in that period. (security.com)
Separately, a joint FBI/CISA/MS-ISAC #StopRansomware advisory describes Medusa tradecraft observed through February 2025, including affiliate recruitment, exploitation of public-facing applications, credential theft with Mimikatz, lateral deployment via PDQ Deploy and PsExec, data exfiltration using Rclone, and encryption using an encryptor commonly referred to as gaze.exe. (ic3.gov)
2. Contextual Background
2.1 Nature of the threat
Medusa is a double-extortion RaaS ecosystem: affiliates and/or operators steal data, encrypt systems, and apply pressure via a leak site and negotiation channels. (ic3.gov) Symantec tracks Medusa operations under the actor name Spearwing and assessed in March 2025 that Medusa attacks increased 42% from 2023 to 2024, with ransom demands ranging from $100,000 to $15 million. (security.com)
CISA’s Medusa advisory states the variant was first identified in June 2021 (distinct from MedusaLocker and unrelated mobile malware of the same name). (ic3.gov) Symantec’s reporting focuses on Spearwing’s activity since early 2023 and Medusa’s RaaS operations in that period. (security.com)
2.2 Threat-actor attribution
Lazarus involvement: Confirmed. Symantec assessed the Medusa activity it observed was “undoubtedly” the work of Lazarus, based in part on Lazarus-linked tooling (notably the exclusive backdoor/loader Comebacker), while noting uncertainty on which Lazarus sub-group conducted the operation. (security.com)
Sub-group attribution: Possible. Symantec highlighted similarities to prior Stonefly / Andariel extortion targeting patterns (notably healthcare) but cautioned that some observed tooling is not exclusive to Stonefly. (security.com) U.S. government reporting has described Andariel (RGB 3rd Bureau) as funding espionage via ransomware operations against U.S. healthcare entities. (U.S. Department of War)
Tooling overlap note: Symantec also noted Comebacker has been associated in public reporting with Microsoft-tracked Diamond Sleet (also known as ZINC in older Microsoft nomenclature), contributing to ambiguity about the precise Lazarus cluster involved. (security.com)
2.3 Sector and geographic targeting
Symantec’s report describes a Medusa incident affecting a Middle East target and an attempted intrusion against a U.S. healthcare organisation; it also notes that Medusa’s leak site listed U.S. healthcare and non-profit victims since early November 2025, though it is unknown which of those are attributable to North Korean operators versus other affiliates. (security.com)
CISA’s Medusa advisory highlights broad targeting across sectors, including medical, education, legal, insurance, technology, and manufacturing, with over 300 victims as of February 2025. (ic3.gov)
3. Technical Analysis
3.1 Reported tooling and tradecraft
Symantec reported Lazarus-linked tooling used in the observed Medusa-related activity, including:
- Comebacker backdoor/loader (Lazarus-linked). (security.com)
- Blindingcan RAT (Lazarus-linked). (security.com)
- ChromeStealer credential theft from Chrome. (security.com)
- Mimikatz for credential dumping. (security.com)
- RP_Proxy (custom proxy tooling). (security.com)
- curl and other tooling consistent with staging/transfer and info theft (Infohook). (security.com)
CISA’s Medusa advisory provides additional detail on common Medusa affiliate/operator techniques, including:
- Initial access via phishing and exploitation of public-facing applications, including references to CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet FortiClientEMS). (ic3.gov)
- Discovery using tools such as Advanced IP Scanner and SoftPerfect Network Scanner, plus native enumeration via PowerShell and
cmd.exe. (ic3.gov) - Lateral movement and deployment via PDQ Deploy, BigFix, and PsExec; encryption by
gaze.exe; exfiltration via Rclone; deletion of shadow copies and service termination for impact. (ic3.gov)
3.2 Exploitation status
Symantec’s publication (24 February 2026) documents observed Lazarus activity using Medusa in at least one case (Middle East) and an attempted case (U.S. healthcare). (security.com) CISA’s Medusa advisory confirms ongoing Medusa operations through February 2025 and details the operational workflow for exfiltration and encryption. (ic3.gov)
For commonly referenced initial-access vulnerabilities in Medusa intrusions:
- CVE-2024-1709 (ConnectWise ScreenConnect): ConnectWise advised updating self-hosted instances to 23.9.8+ (or an interim eligible version) to remediate the issue. (ConnectWise) NVD describes the issue as an authentication bypass affecting ScreenConnect 23.9.7 and prior, with a CNA-provided CVSS v3.1 vector indicating critical severity. (NVD)
- CVE-2023-48788 (Fortinet FortiClientEMS): NVD describes a SQL injection affecting FortiClientEMS versions (7.0.1–7.0.10 and 7.2.0–7.2.2), with a CNA CVSS v3.1 base score of 9.8 and an NVD note that it appears in CISA’s Known Exploited Vulnerabilities catalogue. (NVD) Fortinet’s PSIRT advisory for CVE-2023-48788 is published under FG-IR-24-007. (fortiguard.com)
4. Impact Assessment
4.1 Severity and scope
Symantec’s review of Medusa leak-site postings since early November 2025 identified multiple U.S. healthcare and non-profit victims with an average ransom demand of $260,000 (attribution to Lazarus not confirmed for all cases). (security.com) Symantec also reports ransom demands in Medusa incidents ranging from $100,000 to $15 million. (security.com)
CISA’s advisory describes double extortion and notes that victims can face additional pressure mechanisms, including leak-site countdowns and data sale advertising. (ic3.gov)
4.2 Victim profile
The Lazarus-linked activity described by Symantec includes a Middle East organisation and a U.S. healthcare target, while leak-site analysis indicates additional U.S. healthcare and non-profit victims. (security.com) Broader Medusa victimology spans multiple critical infrastructure-adjacent sectors. (ic3.gov)
5. Indicators of Compromise (IOCs)
5.1 IOC table
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| SHA-256 | 15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 | Medusa ransomware sample | Symantec (security.com) |
| SHA-256 | 0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 | Comebacker | Symantec (security.com) |
| SHA-256 | 60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e | Comebacker loader | Symantec (security.com) |
| SHA-256 | 3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb | RP_Proxy | Symantec (security.com) |
| SHA-256 | db98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791 | Mimikatz | Symantec (security.com) |
| SHA-256 | e24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc | ChromeStealer | Symantec (security.com) |
| IPv4 | 23.27.140[.]49 | Network indicator | Symantec (security.com) |
| IPv4 | 23.27.140[.]135 | Network indicator | Symantec (security.com) |
| IPv4 | 23.27.140[.]228 | Network indicator | Symantec (security.com) |
| IPv4 | 23.27.124[.]228 | Network indicator | Symantec (security.com) |
| Domain | amazonfiso[.]com | Network indicator | Symantec (security.com) |
| Domain | human-check[.]com | Network indicator | Symantec (security.com) |
| Domain | illycoffee[.]my | Network indicator | Symantec (security.com) |
| Domain | illycafe[.]my | Network indicator | Symantec (security.com) |
| Domain | markethubuk[.]com | Network indicator | Symantec (security.com) |
| Domain | sictradingc[.]com | Network indicator | Symantec (security.com) |
| Domain | trustpdfs[.]com | Network indicator | Symantec (security.com) |
| Domain | zypras[.]com | Network indicator | Symantec (security.com) |
| File name | !!!READ_ME_MEDUSA!!!.txt | Ransom note (hash redacted in advisory) | FBI/CISA/MS-ISAC (ic3.gov) |
| MD5 | 44370f5c977e415981febf7dbb87a85c | openrdp.bat (enables inbound RDP and remote WMI per advisory) | FBI/CISA/MS-ISAC (ic3.gov) |
| MD5 | 80d852cd199ac923205b61658a9ec5bc | pu.exe reverse shell | FBI/CISA/MS-ISAC (ic3.gov) |
| [email protected] | Ransom negotiation address | FBI/CISA/MS-ISAC (ic3.gov) | |
| [email protected] | Ransom negotiation address | FBI/CISA/MS-ISAC (ic3.gov) | |
| [email protected] | Ransom negotiation address | FBI/CISA/MS-ISAC (ic3.gov) | |
| [email protected] | Ransom negotiation address | FBI/CISA/MS-ISAC (ic3.gov) | |
| [email protected] | Ransom negotiation address | FBI/CISA/MS-ISAC (ic3.gov) | |
| File path | csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec gaze.exe | Common deployment path observed by Symantec (Medusa encryptor) | Symantec (security.com) |
5.2 Detection guidance
High-signal detections aligned to published tradecraft include:
- PDQ Deploy / PDQDeployRunner service creation and suspicious child processes, as Medusa actors have used PDQ Deploy to deploy
gaze.exe. (ic3.gov) - PsExec command lines invoking
gaze.exe, including remote copy-and-execute patterns shown in the advisory’s command appendix. (ic3.gov) - PowerShell history clearing and obfuscated PowerShell, consistent with Medusa defence evasion described by FBI/CISA/MS-ISAC. (ic3.gov)
- Credential dumping indicators, including PowerShell script-block artefacts consistent with Invoke-Mimikatz patterns. (ic3.gov)
- Rclone usage for bulk outbound transfers to cloud storage, consistent with the advisory’s exfiltration description. (ic3.gov)
6. Incident Response Guidance
6.1 Containment, eradication, and recovery steps
CISA/FBI/MS-ISAC recommend prioritising rapid isolation of affected systems, restricting lateral movement via segmentation, filtering remote service exposure, and ensuring timely patching of exposed services to reduce Medusa intrusion paths. (ic3.gov) Where Medusa-like deployment tooling is observed (PDQ Deploy, PsExec), restrict access to deployment tooling to approved admin tiers and invalidate credentials associated with remote execution activity. (ic3.gov)
6.2 Forensic artefacts to collect and preserve
Preserve: EDR telemetry for process creation (notably PDQDeployRunner, PsExec, gaze.exe), Windows Security logs for remote logons and account creation, PowerShell operational logs, RMM tool logs (where present), and outbound transfer logs (proxy/firewall/DNS) for Rclone and suspicious infrastructure. (ic3.gov)
6.3 Lessons learned and preventive recommendations
Medusa operations commonly combine credential theft, remote execution, and security-control impairment prior to encryption; response plans should treat credential containment and remote deployment tooling control as priority actions to prevent rapid enterprise-wide impact. (ic3.gov)
7. Threat Intelligence Contextualisation
7.1 Comparison with related DPRK extortion activity
U.S. government reporting has previously attributed Maui ransomware use against the healthcare sector to North Korean state-sponsored actors (since at least May 2021). Symantec’s February 2026 reporting suggests a shift in at least some DPRK-linked activity away from bespoke ransomware (e.g., Maui) towards the use of established RaaS ecosystems (Medusa), which can complicate attribution because affiliate ecosystems may blend multiple actor sets. (security.com)
7.2 MITRE ATT&CK mapping
| Tactic | Technique ID | Technique Name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1566 | Phishing | Medusa affiliates use phishing as a credential/access mechanism. (ic3.gov) |
| Initial Access | T1190 | Exploit Public-Facing Application | Medusa actors exploited unpatched public-facing software; advisory references CVE-2024-1709 and CVE-2023-48788. (ic3.gov) |
| Execution | T1059.001 | PowerShell | Used for ingress and enumeration in Medusa intrusions. (ic3.gov) |
| Execution | T1059.003 | Windows Command Shell | Used for ingress and enumeration in Medusa intrusions. (ic3.gov) |
| Discovery | T1046 | Network Service Discovery | Living-off-the-land enumeration described in advisory. (ic3.gov) |
| Discovery | T1083 | File and Directory Discovery | Filesystem enumeration via cmd/PowerShell. (ic3.gov) |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | Mimikatz used for LSASS dumping in Medusa intrusions. (ic3.gov) |
| Lateral Movement | T1072 | Software Deployment Tools | PDQ Deploy/BigFix used to deploy encryptor across network. (ic3.gov) |
| Lateral Movement | T1569.002 | System Services | PsExec used to deploy/execute encryptor. (ic3.gov) |
| Collection | T1555 | Credentials from Password Stores | Symantec reports Chrome password extraction tooling (ChromeStealer). (security.com) |
| Command and Control | T1105 | Ingress Tool Transfer | PowerShell/cmd/certutil used for ingress; Lazarus tooling includes custom loaders and proxying. (ic3.gov) |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Rclone used to facilitate exfiltration. (ic3.gov) |
| Impact | T1489 | Service Stop | gaze.exe terminates services related to backups/security and other functions. (ic3.gov) |
| Impact | T1490 | Inhibit System Recovery | Shadow copy deletion described by advisory. (ic3.gov) |
| Impact | T1486 | Data Encrypted for Impact | Encryption and .medusa extension described by advisory. (ic3.gov) |
8. Mitigation Recommendations
8.1 Hardening and control improvements
Prioritise: patching of internet-facing services; network segmentation to constrain lateral movement; restricting and monitoring remote services; hardening privileged access; and ensuring security tooling cannot be disabled by administrative misuse (for example, via vulnerable-driver or service-stop patterns described in Medusa tradecraft). (ic3.gov)
8.2 Patch management priorities and interim steps
- CVE-2024-1709 (ScreenConnect): For on-prem/self-hosted deployments, ConnectWise advises upgrading to 23.9.8+ (or eligible interim releases) and provides an upgrade path; cloud-hosted ScreenConnect instances were remediated by ConnectWise per their bulletin. (ConnectWise)
- CVE-2023-48788 (FortiClientEMS): Prioritise upgrades away from affected FortiClientEMS versions described in NVD; NVD also flags KEV inclusion for this CVE. (NVD) Fortinet’s PSIRT advisory for CVE-2023-48788 is published as FG-IR-24-007. (fortiguard.com)
9. Historical Context & Related Vulnerabilities
9.1 Prior DPRK-linked healthcare extortion
FBI/CISA/Treasury reported Maui ransomware used against healthcare and public health entities since at least May 2021. DOJ reporting on Andariel-linked operations also describes ransomware proceeds being used to fund broader intrusions and espionage activity. (Department of Justice)
9.2 Related Medusa reporting
Symantec has tracked rising Medusa activity and published deployment patterns (including repeated PDQ Deploy paths for gaze.exe). (security.com) FBI/CISA/MS-ISAC provide a consolidated Medusa TTP and IOC reference set through February 2025. (ic3.gov)
10. Future Outlook
If Lazarus-linked clusters continue using established RaaS ecosystems, defenders should expect increased operational blending between state-linked access, commodity affiliate tooling, and financially motivated extortion workflows. This can reduce the value of “ransomware family” as an attribution signal and increase reliance on cluster-specific malware (e.g., Lazarus-linked backdoors/loaders) and infrastructure overlaps for higher-confidence assessment. (security.com)
11. Further Reading
- Symantec Threat Hunter Team report on Lazarus using Medusa (24 Feb 2026). (security.com)
- FBI/CISA/MS-ISAC #StopRansomware advisory on Medusa (AA25-071A). (ic3.gov)
- Symantec Threat Intelligence: Medusa ransomware activity increase (6 Mar 2025). (security.com)
- DOJ press release on Andariel-linked ransomware activity targeting U.S. healthcare (25 Jul 2024). (Department of Justice)
- Joint advisory on DPRK RGB 3rd Bureau (AA24-207A) describing ransomware funding of espionage. (U.S. Department of War)
- MITRE ATT&CK group references: Lazarus (G0032), Andariel (G0138), Medusa Group (G1051). (attack.mitre.org)