A joint investigation by the Symantec and Carbon Black Threat Hunter teams details evidence that operators linked to the Lazarus hacker group are deploying Medusa ransomware in ongoing extortion campaigns targeting the U.S. healthcare sector and a Middle East entity, indicating the North Korean threat cluster continues ransomware-driven extortion campaigns despite prior U.S. indictments. The findings cite recent victim claims involving healthcare and nonprofit organizations and document the use of Lazarus-associated tooling observed in these intrusions, reinforcing attribution to the North Korean threat cluster. This comes as these attackers continue to mount extortion attacks against the U.S. healthcare sector despite indictment.
In a report titled ‘North Korean Lazarus Group Now Working With Medusa Ransomware,’ Symantec and Carbon Black said they uncovered evidence of North Korean actors deploying Medusa ransomware in an attack against a target in the Middle East. The same operators also attempted, but failed, to breach a U.S. healthcare organization.
Medusa, operated by the Spearwing cybercrime group, emerged in 2023 as a RaaS (ransomware-as-a-service) operation, allowing affiliates to deploy the malware in exchange for a share of ransom proceeds. Attackers using Medusa have claimed more than 366 victims to date.
The report noted that the Lazarus Group is deploying a broad toolkit in its current ransomware campaigns. The arsenal includes Comebacker, a custom backdoor and loader exclusively associated with the group; Blindingcan, a Lazarus-linked remote access Trojan; and ChromeStealer, designed to extract stored credentials from the Chrome browser.
Operators are also using Curl, the open-source command-line utility for transferring data across network protocols; Infohook, an information-stealing malware strain; Mimikatz, the publicly available credential-dumping tool; and RP_Proxy, a custom proxying utility to route malicious traffic.
Analysis of the group’s leak site shows four U.S. healthcare and nonprofit organizations listed since early November 2025, including a mental health nonprofit and an educational facility for autistic children. It remains unclear whether all of these incidents are attributable to North Korean operatives or whether other Medusa affiliates were responsible for some of the attacks. The average ransom demand during that period was US$260,000.
The report identified that one of the prime movers in mounting North Korean ransomware attacks in recent years has been the Lazarus sub-group Stonefly (aka Andariel). “For many years, Stonefly was thought to be solely engaged in espionage attacks, particularly against high-value targets. However, the group became involved in ransomware attacks approximately five years ago.
Furthermore, its involvement in digital extortion came to public attention in July 2025, when the U.S. Justice Department indicted a North Korean man named Rim Jong Hyok on charges related to a ransomware campaign against U.S. hospitals and other healthcare providers. Rim is alleged to be a member of Stonefly, which is linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB).
The indictment shed some light on the motivation behind Stonefly’s move into ransomware. It is alleged that the group was using the proceeds of ransomware attacks to fund its espionage activities, including attacks against the defense, technology, and government sectors in the U.S., Taiwan, and South Korea. The indictment and a $10 million reward for information on Rim did not appear to deter Stonefly from mounting further attacks.
In October 2024, Symantec’s Threat Hunter Team found evidence of intrusions against three different U.S. organizations. Although no ransomware was successfully deployed, the attacks appeared to be financially motivated since all victims were private companies and involved in businesses with no obvious intelligence value. About the same time, Palo Alto Unit 42 reported that it had begun collaborating with the Play ransomware group.
The post recognized that while the current Medusa ransomware attacks are undoubtedly the work of Lazarus, the blanket designation for North Korean state-sponsored activity, it is unclear which Lazarus sub-group is behind them. “While the TTPs – extortion attacks against the U.S. healthcare sector – are like previous Stonefly attacks, the malware tools used are not exclusive to Stonefly. For example, the Comebacker backdoor has previously been reported to be associated with the Pompilus group (aka Diamond Sleet).”
“This comes as the switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated,” according to the post. “North Korean actors appear to have few scruples about targeting organizations in the U.S. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn’t seem to be in any way constrained.”
Last October, Symantec revealed that China-based threat actors exploited the recently disclosed ToolShell vulnerability (CVE-2025-53770) to compromise a telecommunications company in the Middle East shortly after it was patched in July 2025. The investigation found that the same actors also infiltrated the networks of government agencies across multiple countries in Africa and South America. In one African nation alone, two government departments were compromised during the same period.
