LAZARUS Group has expanded its repertoire with Medusa ransomware, dropped in a recent attack on an organization in the Middle East, according to new research from the Symantec and Carbon Black threat hunter team. The researchers also note that Lazarus actors attempted an unsuccessful attack on a US healthcare organisation. The Medusa operation involves not only the ransomware payload but also the Comebacker backdoor, Blindingcan remote access Trojan, and an infostealer known as Infohook.
In their assessment, the threat hunter team observed Lazarus using a mix of tools and techniques, including the BYOVD approach to deploy against targets, while noting that attribution to a specific Lazarus sub-group remains unclear. The report highlights that Medusa has evolved since its origins as a closed operation and expanded in 2024 to a ransomware-as-a-service model, reinforcing Lazarus’s history of targeting critical infrastructure and healthcare entities.