Cybersecurity researchers have identified technical overlaps between activity attributed to the Lazarus Group, a threat actor widely linked to the North Korean government, and deployments of the Medusa ransomware strain. The findings are based on forensic analysis of malware samples and supporting infrastructure observed in recent incidents.
Medusa ransomware, first detected in 2021, has been used in attacks against organisations across multiple sectors. Analysts examining newer variants found similarities in code structure, encryption mechanisms, and command and control infrastructure that align with tools previously associated with Lazarus operations. The researchers said the overlap includes reused components and patterns in how systems were compromised and managed after initial access.
Security firms tracking the activity noted that Lazarus has historically conducted a range of cyber operations, including financially motivated ransomware campaigns and intrusions targeting financial institutions and digital asset platforms. In the cases linked to Medusa, investigators observed behaviours consistent with earlier Lazarus activity, including staged data exfiltration prior to file encryption and ransom demands issued in cryptocurrency.
Victims of Medusa incidents reported that attackers encrypted networked systems and left ransom notes directing them to contact operators for payment instructions. In some cases, stolen data was published or threatened to be released through leak sites. Researchers said that the infrastructure supporting certain Medusa attacks showed configuration similarities to infrastructure used in past Lazarus campaigns.
The researchers cautioned that technical overlap does not necessarily mean that all Medusa operations are centrally directed by Lazarus. Instead, the evidence suggests that actors linked to or sharing resources with Lazarus may be involved in at least some deployments of the ransomware.
The findings are part of ongoing monitoring of ransomware threats and state-linked cyber activity. Security analysts said they will continue to examine malware samples and infrastructure to clarify the relationship between Medusa operators and previously identified Lazarus activity.