LAZARUS APT Group, also known as Diamond Sleet and Pompilus, has been spotted deploying Medusa ransomware in a campaign against an unnamed Middle East organisation, according to Symantec and Carbon Black Threat Hunter Team. The operation marks another instance of North Korea-linked activity shifting toward ransomware-driven extortion in recent years, with Medusa being a ransomware-as-a-service launched in 2023 and operated by the Spearwing group.
The report notes that Medusa allows affiliates to deploy the malware in exchange for a share of ransom payments and has been linked to more than 366 claimed attacks. Since early November 2025, its leak site has listed four U.S. healthcare and non-profit victims, including a mental health nonprofit and a school for autistic children, while average ransom demands have reached around $260,000.
The attack described targeted a Middle East organisation, and the report also states that the same attackers mounted an unsuccessful attack against a healthcare organisation in the United States. The Lazarus campaign employs tools such as Comebacker, Blindingcan, ChromeStealer and Mimikatz among other customised malware.