The North Korea aligned threat collective Lazarus Group, also tracked under alternative names such as Diamond Sleet and Pompilus, has been linked to fresh ransomware activity impacting organizations in the Middle East and the United States healthcare sector.
According to research published by the Symantec and Carbon Black Threat Hunter Team, part of Broadcom, the group leveraged Medusa ransomware during an intrusion targeting an unidentified Middle Eastern entity. Investigators also uncovered evidence of a failed attempt against a U.S. healthcare organization.
Medusa RaaS and Expanding Victim List
Medusa operates under a ransomware as a service model and was introduced in 2023 by a cybercriminal outfit known as Spearwing. The group behind Medusa claims responsibility for more than 366 attacks globally.
Threat intelligence analysis indicates that since early November 2025, at least four healthcare and nonprofit organizations in the United States have appeared on the Medusa leak portal. Victims reportedly include a mental health nonprofit and a specialized educational institution supporting autistic children. The average ransom demand during this period stood at approximately 260,000 dollars.
It remains unclear whether all of these incidents were directly orchestrated by North Korean operators or whether other Medusa affiliates conducted some of the attacks.
Shift From Custom Ransomware to Established Platforms
North Korean threat actors have previously developed proprietary ransomware strains. As early as 2021, a Lazarus sub cluster known as Andariel, also called Stonefly, deployed custom ransomware families such as SHATTEREDGLASS, Maui, and H0lyGh0st against targets in South Korea, Japan, and the United States.
In October 2024, the group was connected to a Play ransomware operation, signaling a move toward using ready made ransomware lockers rather than in house developed payloads.
A similar evolution was observed with another North Korean actor, Moonstone Sleet, which transitioned from its custom FakePenny ransomware to leveraging Qilin ransomware in campaigns against South Korean financial institutions.
Security analysts suggest this transition reflects a pragmatic strategy. Instead of investing resources into building proprietary ransomware, threat actors may find it more efficient to operate as affiliates within established ransomware ecosystems.
Tools Used in the Medusa Campaign
The Medusa linked activity attributed to Lazarus Group involved a combination of custom and publicly available tools, including:
- RP_Proxy, a proprietary proxy utility
- Mimikatz, widely used for credential extraction
- Comebacker, a custom backdoor unique to the group
- InfoHook, an information stealer associated with Comebacker
- BLINDINGCAN, also known as AIRDRY or ZetaNile
- ChromeStealer, designed to extract stored credentials from Google Chrome
Although the operational patterns resemble previous Andariel linked campaigns, researchers have not definitively attributed this activity to a specific Lazarus sub unit.
Healthcare Sector Under Pressure
Unlike some cybercriminal groups that publicly avoid healthcare targets due to reputational risks, Lazarus appears unconstrained in its targeting strategy. The continued use of ransomware against healthcare providers and nonprofit organizations highlights the financial motivation driving these operations.
Analysts emphasize that North Korea’s engagement in cybercrime remains persistent and adaptive. By integrating into ransomware as a service ecosystems like Medusa, the group can rapidly deploy mature encryption frameworks while focusing its efforts on intrusion, persistence, and data exfiltration.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
