Affiliates deploy the malware in exchange for a share of ransom payments. Since its debut, attackers using Medusa have claimed more than 366 incidents.

Medusa, operated by the Spearwing cybercrime group, emerged in 2023 as a ransomware-as-a-service (RaaS) platform.

Researchers from the Symantec and Carbon Black Threat Hunter Team said the attackers deployed Medusa against a target in the Middle East and attempted, unsuccessfully, to breach a US healthcare organization.

A new wave of cyber-attacks using Medusa ransomware has been linked to North Korean state-backed hackers, who continue to target the US healthcare sector despite recent indictments.

Analysis of Medusa's leak site indicated that four US healthcare and non-profit organizations have been listed as victims since early November 2025.

These include a mental health non-profit and a school serving autistic children. The average ransom demand during this period stood at $260,000.

Links with the Lazarus Group

The new activity has been attributed broadly to the Lazarus Group, a state-sponsored umbrella organization. However, it remains unclear which sub-groups of Lazarus are behind the attacks, according to Symantec.

The Stonefly sub-group, also known as Andariel, has played a central role in ransomware operations over the past five years. Once considered focused solely on espionage, Stonefly's involvement in financially motivated attacks became public in July 2025.

At that time, the US Justice Department indicted Rim Jong Hyok, an alleged Stonefly member, for his role in ransomware campaigns targeting US hospitals and healthcare providers. He is said to be affiliated with North Korea's Reconnaissance General Bureau (RGB). Authorities also announced a $10m reward for information related to him.

The indictment suggested that ransomware proceeds were used to fund espionage operations against defense, technology and government entities in the US, Taiwan and South Korea. Yet subsequent investigations found continued intrusion attempts against three US organizations in October 2024, even though ransomware was not deployed.

Tools Used In Recent Campaigns

In the new advisory, researchers identified a range of malware and utilities linked to the attacks:

Comebacker backdoor

Blindingcan remote access Trojan

ChromeStealer credential tool

Curl command-line utility

Infohook data stealer

Mimikatz credential dumper

RP_Proxy custom proxy tool

While the tactics resemble previous Stonefly operations, the analysts cautioned that the tools are not exclusive to one sub-group.

"The switch to Medusa demonstrates that North Korea's rapacious involvement in cybercrime continues unabated. North Korean actors appear to have few scruples about targeting organizations in the US," Symantec wrote.

"While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn't seem to be in any way constrained."