Lazarus Group Picks a New Poison: Medusa Ransomware
Dark Reading
by Rob WrightFebruary 24, 2026
AI-Generated Deep Dive Summary
The Lazarus Group, a North Korean state-sponsored threat actor known for its relentless involvement in cybercrime, has now turned to Medusa ransomware as part of its latest campaigns. Symantec and Carbon Black researchers revealed that Lazarus leveraged Medusa in attacks targeting an organization in the Middle East and attempted to breach a US healthcare entity. This marks a significant shift for Lazarus, which has historically focused on critical infrastructure, including energy sectors and cryptocurrency exchanges, but now appears willing to expand its operations into more conventional cybercrime activities.
The adoption of Medusa ransomware aligns with Lazarus's history of financially motivated attacks. Unlike some cybercriminal groups that avoid targeting healthcare organizations due to reputational risks, Lazarus has shown no such restraint. The use of Medusa also highlights the group's adaptability in choosing partners and tools that suit its objectives. Medusa, which began as a closed operation but later adopted a ransomware-as-a-service (RaaS) model, has targeted hundreds of critical infrastructure organizations globally, making it a fitting ally for Lazarus.
In addition to Medusa, Lazarus employed other malware during these attacks, including the Comebacker backdoor and Blindingcan remote access Trojan (RAT), as well as an information stealer called Infohook. While some of these tools are associated with specific Lazarus subgroups, such as Stonefly, others like Comebacker have previously been linked to a different group known as Diamond Sleet. The researchers noted that while the attacks clearly bear the hallmark of Lazarus activity, it remains unclear which specific subgroup is responsible.
The inclusion of Medusa in Lazarus's arsenal underscores the evolving nature of cybercrime and the increasing sophistication of state-sponsored groups
Verticals
securitytech
Originally published on Dark Reading on 2/24/2026