TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES CYBER RISK ENDPOINT SECURITY THREAT INTELLIGENCE NEWS Lazarus Group Picks a New Poison: Medusa Ransomware The North Korean threat group also leveraged Comebacker backdoor, Blindingcan RAT, and info stealer Infohook in its recent attacks. Rob Wright,Senior News Director, Dark Reading February 24, 2026 3 Min Read SOURCE: MAGICA VIA ALAMY STOCK PHOTO The Larazus Group has a new partner in crime. The North Korean nation-state threat group dropped Medusa ransomware in a recent attack on an organization in the Middle East, according to new research from the Symantec and Carbon Black threat hunter team. Lazarus Group actors also attempted an unsuccessful attack on a US healthcare organization. The researchers didn't identify either organization or specify the Middle East target's industrial sector. Lazarus Group's embrace of Medusa shows the Democratic People's Republic of Korea's (DPRK) "rapacious involvement in cybercrime continues unabated," the researchers wrote. The attacks are also the latest example of the threat group's penchant for hitting critical infrastructure targets, most notably healthcare entities. LOADING... "While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn't seem to be in any way constrained," the threat hunter team stated in the report. Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers The Medusa ransomware gang initially started out as a closed operation but expanded in 2024 to a more open ransomware-as-a-service (RaaS) model. Additionally, Medusa actors have hit hundreds of critical infrastructure organizations over the years, making the gang a fitting partner for Lazarus. LOADING... Which Lazarus Group Unit Was Behind the Attacks? Unlike most nation-state advanced persistent threat (APT) groups, Lazarus has long been involved in conventional cybercrime with financially motivated attacks on everything from energy sector organizations to cryptocurrency exchanges. Dick O'Brien, principal intelligence analyst for the Symantec and Carbon Black threat hunter team, says the Middle Eastern organization hit by the Medusa attack is a large business that "doesn't operate in a strategic sector or seem to possess valuable intellectual property. We believe it was purely financially motivated." Partnering with Medusa, therefore, makes sense for Lazarus Group, given its history of ransomware and extortion attacks. However, Carbon Black hasn't determined which specific arm of Lazarus is behind these latest attacks. "While the current Medusa ransomware attacks are undoubtedly the work of Lazarus, the blanket designation for North Korean state-sponsored activity, it is unclear which Lazarus sub-group is behind them," the report stated. The researchers noted that while the Medusa attacks featured tactics, techniques, and procedures (TTPs) associated with a Lazarus sub-group known as a Stonefly, the additional malware used by the threat actors, including a backdoor known as Comebacker, were previously tied to a different group tracked as Diamond Sleet. Related:Operation DoppelBrand: Weaponizing Fortune 500 Brands Just the Ransomware, Please In addition to the Comebacker malware, the Carbon Black's threat hunter team found evidence of other malware and hacking tools frequented by the Lazarus Group in the two attacks. This includes Blindingcan, a remote access Trojan (RAT) tied to Lazarus, and an infostealer known as Infohook. However, O'Brien tells Dark Reading that the threat hunter team didn't find any evidence of Lazarus actors using other Medusa tools or malware besides the payload. The ransomware gang has embraced the bring-your-own-vulnerable-driver (BYOVD) technique, deploying endpoint detection and response (EDR) killers to disable enterprise security defenses. "We didn't see any evidence of defense evasion tools being used, such as vulnerable drivers," he says. Still, BYOVD has become an increasingly popular tactic among ransomware gangs, and security teams should prepare for such threats. Defenses include blocking vulnerable drivers known to be used by threat actors and monitoring for privilege escalation attempts, which attackers need to introduce drivers into targeted systems. Related:Senegalese Data Breaches Expose Lack of Security Maturity The threat hunter team's report included indicators of compromise from the two attacks, such as malicious file indicators, IP addresses, and URLs. In a separate security bulletin, Symantec included other indicators, such as behavior-based signals, which the vendor's products are now updated to detect and block. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES CodeRED Emergency Alert Platform Shut Down Following Cyberattack by Rob Wright DEC 01, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use