THE Lazarus Group, also known as Diamond Sleet and Pompilus, has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to Symantec and Carbon Black Threat Hunter Team. Broadcom's threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organisation in the U.S.
Medusa is a ransomware-as-a-service operation launched by a cybercrime group known as Spearwing in 2023, and the group has claimed more than 366 attacks to date. Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organisations in the U.S. since the beginning of November 2025, with victims including a mental health non-profit and an educational facility for autistic children.
It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks. The Lazarus campaign using Medusa also employs tools such as RP_PROXY, Mimikatz, Comebacker, InfoHook, BLINDINGCAN (aka AIRDRY or ZetaNile) and ChromeStealer, with the extortion attacks mirroring those of Andariel.