North Korean Lazarus Group Now Working With Medusa Ransomware

2026-02-24 • Symantec •

https://www.security.com/threat-intelligence/lazarus-medusa-ransomware

#Lazarus #Medusa

Thumbnail for North Korean Lazarus Group Now Working With Medusa Ransomware

Symantec and Carbon Black report that North Korean state-backed Lazarus activity is using Medusa ransomware, with evidence from an attack on a Middle East target and an unsuccessful intrusion against a U.S. healthcare organization. The activity fits a broader North Korean ransomware pattern previously linked to Maui, Play, and Stonefly/Andariel, although the excerpt says the specific Lazarus subgroup behind the Medusa activity remains unclear. The toolset includes Medusa ransomware, Lazarus-associated Comebacker and Blindingcan, credential and browser theft tools such as Mimikatz, ChromeStealer, and Infohook, plus RP_Proxy and multiple loaders. Listed infrastructure includes several IP addresses and domains such as human-check[.]com, trustpdfs[.]com, and zypras[.]com, underscoring the need to validate both ransomware and intrusion tooling against healthcare and enterprise telemetry.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	15208030eda48b3786f7d85d756d2bd…	2026-02-24	2026-03-17
HASH	c69acc7364da828f098394b1a690778…	2026-02-24	2026-02-24
HASH	7530323c3976687a329e06bb7b7f950…	2026-02-24	2026-02-24
HASH	3b8850bad0cb3ebae477b3787844b89…	2026-02-24	2026-02-24
HASH	cf5e38d65bef38654080635fcb76890…	2026-02-24	2026-02-24
HASH	a12c84dabaffa868507807c645f7f07…	2026-02-24	2026-02-24
HASH	18049366331a5f0afd54c2ca84e6ed3…	2026-02-24	2026-02-24
HASH	d80daa7b30732b2b71d63a5881a254d…	2026-02-24	2026-02-24
HASH	60b942bbdac625300eeb11cccba5ed4…	2026-02-24	2026-02-24
HASH	416545b9e844d3d924e162951a8ee88…	2026-02-24	2026-02-24
HASH	e24e4c949894b08a66b925b6c55f12d…	2026-02-24	2026-02-24
HASH	8f6866532abd8400d244d0441be097f…	2026-02-24	2026-02-24
HASH	a957b5dd5f555be8431df3f35b707c1…	2026-02-24	2026-02-24
HASH	61f3b09bcbae2fc2c98ccac7b2a0bec…	2026-02-24	2026-02-24
HASH	6ba46c392bdc330ceef2aeb984c63c8…	2026-02-24	2026-02-24
HASH	fdd4b78aa4e0914f3bcdc2632338ebb…	2026-02-24	2026-02-24
HASH	932b9ec79c782f06b3c8d267af916df…	2026-02-24	2026-02-24
HASH	bf27c5e2591febe90e52cd99231526a…	2026-02-24	2026-02-24
HASH	bedada1c52e9bcceff8c6b542d74518…	2026-02-24	2026-02-24
HASH	a55bc262c5218c6bdaebcf461815431…	2026-02-24	2026-02-24
HASH	52293b53ca5209bc49f009288cf6fc8…	2026-02-24	2026-02-24
HASH	0842dd5c1f79f313ea08c49d1fb2276…	2026-02-24	2026-02-24
HASH	202b03d788df6a9d22bbd2cbc01ba9c…	2026-02-24	2026-02-24
HASH	b8a9533a21127ff5005352d41581c56…	2026-02-24	2026-02-24
HASH	60aaf6c01ba0c15b78902fd4be12c7e…	2026-02-24	2026-02-24
HASH	f0f4423cd8d5ceafb4e4a18014ff4ed…	2026-02-24	2026-02-24
HASH	db98d087d4cdb2a82096df424f86ede…	2026-02-24	2026-02-24
HASH	cfe33c6faacc824fcb475d450d6ba19…	2026-02-24	2026-02-24
HASH	bf05b1ace61aeebd251940b40624fe2…	2026-02-24	2026-02-24
HASH	918e2a5a01fdb0ad462b0242e4f23d5…	2026-02-24	2026-02-24
HASH	6428ef885c54b8154bd86a5d849fb8c…	2026-02-24	2026-02-24
HASH	ce4fcb97ada09a42c03c3456c5fe09d…	2026-02-24	2026-02-24
HASH	3e3e0519a154266da1558e324c9097e…	2026-02-24	2026-02-24
HASH	7a22880780c74b212e36ebb871af4af…	2026-02-24	2026-02-24
HASH	a670d8818a6efe2919c18c740ef4f34…	2026-02-24	2026-02-24
HASH	61c49c8f116cb7118dee613536085cf…	2026-02-24	2026-02-24
HASH	313ce75f0f47e2a8fd66120fcbcaa62…	2026-02-24	2026-02-24
HASH	4a702c784eb997a170bea81778a770a…	2026-02-24	2026-02-24
HASH	84168ee4e290690985358dfc497b98a…	2026-02-24	2026-02-24
HASH	6ad1a57ce20b422b77bab84a8daebf4…	2026-02-24	2026-02-24
HASH	16d57ff889aab5b8c8a646da99d5a93…	2026-02-24	2026-02-24
HASH	55cb4a851372237a5ba4bf187e37b0d…	2026-02-24	2026-02-24
HASH	b42345567556a01d34daf262f95fdeb…	2026-02-24	2026-02-24
HASH	35a11a68b0ce862bdc7450735237e56…	2026-02-24	2026-02-24
HASH	ab3e3a8673ba5da40b325b160a782cf…	2026-02-24	2026-02-24
HASH	63432828de42e43ea3715157da5439c…	2026-02-24	2026-02-24
HASH	9cb10407ca3c9e8c1a069ebb4c677d8…	2026-02-24	2026-02-24
HASH	df1b9ec31fa4578dee7668207064de7…	2026-02-24	2026-02-24
DOMAIN	sictradingc.com	2026-02-24	2026-02-24
DOMAIN	trustpdfs.com	2026-02-24	2026-02-24
DOMAIN	markethubuk.com	2026-02-24	2026-02-24
DOMAIN	zypras.com	2026-02-24	2026-02-24
DOMAIN	amazonfiso.com	2026-02-24	2026-02-24
DOMAIN	human-check.com	2026-02-24	2026-02-24
IPv4	23.27.140.135	2026-02-24	2026-02-24
IPv4	23.27.124.228	2026-02-24	2026-02-24
IPv4	23.27.140.228	2026-02-24	2026-02-24
IPv4	23.27.140.49	2025-10-30	2026-02-24

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2026-03-17 • 80% Match

When Nation-States Become Ransomware Affiliates: Lazarus Group Deploys Medusa via a Custom IME-Based Loader

Break Glass Intelligence

#Ransomware #Lazarus #Medusa #T1082 #T1555 #T1059.001 #T1036.005 #T1574.002 #T1562.001 #T1490 #T1486 #T1547.014 #T1129 #T1622 #T1135 #T1027.002 #T1546.015 #T1489

Shares tags: Lazarus, Medusa • Shares 1 IOC • Published within a month

2026-03-12 • 80% Match

Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline

Break Glass Intelligence

#Ransomware #Lazarus #Medusa #T1082 #T1555 #T1059.001 #T1036.005 #T1574.002 #T1562.001 #T1490 #T1486 #T1547.014 #T1129 #T1622 #T1135 #T1027.002 #T1546.015 #T1489

Shares tags: Lazarus, Medusa • Shares 1 IOC • Published within a month

2026-03-11 • 80% Match