Ddos 
A disturbing shift in nation-state cyber tactics has been uncovered as North Korean state-backed attackers integrate Medusa ransomware into their arsenal to fund espionage through global extortion. A new investigation by the Threat Hunter Team reveals that these operatives are relentlessly targeting the U.S. healthcare sector.
Medusa, launched in 2023, operates under a Ransomware-as-a-Service (RaaS) model by the Spearwing cybercrime group. This allows affiliates like North Korea to deploy the encryption software in exchange for a percentage of the ransom.
The scale of this campaign is significant:
- Attack Volume: More than 366 attacks have been claimed by those using Medusa.
- Targeting Patterns: Since November 2025, the Medusa leak site has identified victims including a mental health non-profit and an educational facility for autistic children.
- Financial Stakes: During this period, the average ransom demand reached approximately $260,000.
“While the current Medusa ransomware attacks are undoubtedly the work of Lazarus… it is unclear which Lazarus sub-group is behind them,” the report notes.
The motivation for this “rapacious involvement in cybercrime” is purely functional: funding further government-ordered strikes.
The group Stonefly (also known as Andariel) has emerged as a prime mover in these operations. While historically seen as an espionage unit, Stonefly began using ransomware roughly five years ago to bankroll its attacks on defense and technology sectors in the U.S., Taiwan, and South Korea. “The group was using the proceeds of ransomware attacks to fund its espionage activities,” the report states.
The Lazarus group utilizes a sophisticated mix of custom and open-source tools to facilitate these breaches:
- Comebacker: A custom backdoor exclusively used by Lazarus.
- Blindingcan: A remote access Trojan (RAT) linked to North Korean intelligence.
- ChromeStealer: Specifically designed to extract passwords from the Chrome browser.
- Credential Dumping: Utilizing publicly available tools like Mimikatz to harvest network permissions.
The targeting of vulnerable medical and educational facilities highlights a reality of North Korean tradecraft. Unlike some cybercrime syndicates that avoid healthcare targets to limit reputational heat, “Lazarus doesn’t seem to be in any way constrained”.
The report concludes that North Korean actors “appear to have few scruples about targeting organizations in the U.S.,” suggesting that the healthcare sector must remain on high alert as these financially motivated state actors continue to evolve their methods.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
