A new wave of cyber-attacks using Medusa ransomware has been linked to North Korean state-backed hackers, with researchers from Symantec and Carbon Black Threat Hunter Team saying the hostilities targeted a Middle East organisation and a US healthcare organisation was also approached. Medusa, operated by the Spearwing cybercrime group, emerged in 2023 as a ransomware-as-a-service platform, with affiliates taking a share of ransom payments and, to date, attackers using Medusa have claimed more than 366 incidents.
Analysis of Medusa’s leak site indicated four US healthcare and non-profit organisations have been listed as victims since early November 2025, with the average ransom demand during this period at $260,000. The activity has been attributed broadly to the Lazarus Group, a state-sponsored umbrella organisation, though it remains unclear which sub-groups are behind the attacks, according to Symantec.
Four victims mentioned include a mental health non-profit and a school serving autistic children, underscoring the healthcare and education sector focus of these campaigns. Researchers identified a range of tools linked to the campaigns, including Comebacker backdoor, Blindingcan, ChromeStealer and Mimikatz, while noting the tactics resemble previous Stonefly operations.
According to Symantec, the switch to Medusa demonstrates North Korea’s continued involvement in cybercrime with apparent willingness to target organisations in the US.