The 4-Stage Attack Chain Behind North Korea's Lazarus Group and Medusa Ransomware
- Siwoo Lee
- 6 days ago
- 5 min read
Broadcom's Symantec and Carbon Black Threat Hunter Team have identified activity linking North Korea's Lazarus Group to a series of Medusa ransomware attacks. U.S. healthcare organizations are among the primary targets, with cases in the Middle East also referenced.
What makes this campaign worth examining closely is the activity that precedes the ransomware itself. The toolset identified by Symantec and Carbon Black is Lazarus-specific custom malware, not off-the-shelf crimeware, and the attack unfolds across a deliberate sequence of stages before encryption ever begins.
Medusa: Ransomware as a Service (RaaS), Double Extortion as the Model
CISA, the FBI, and MS-ISAC classify Medusa as a Ransomware-as-a-Service (RaaS) operation. The defining feature of how Medusa operates is the double extortion model: victims face file encryption and, separately, the threat of stolen data being publicly released. An organization with solid backups can still face serious exposure if sensitive data was already taken before the encryption ran. That exfiltration phase carries its own damage, independent of whether files are recovered.
The Tools Identified in This Campaign
Symantec and Carbon Black identified a specific set of tools connected to this campaign. Several of them are exclusively or strongly associated with Lazarus Group activity:
Tool | Function |
Comebacker | Custom backdoor and loader tied specifically to Lazarus |
Blindingcan | Remote Access Trojan (RAT) associated with Lazarus operations |
Infohook | Infostealer for collecting system and user data |
ChromeStealer | Pulls saved credentials from Chrome browser storage |
Mimikatz | Dumps credentials from Windows memory (LSASS) |
RP_Proxy | Proxy and tunneling utility for covert outbound communication |
curl | Standard transfer tool repurposed for exfiltrating data |
On attribution: Symantec describes the TTPs in the U.S. healthcare targeting as similar to Stonefly, also known as Andariel, a Lazarus sub-group. Comebacker has also appeared in prior reporting connected to Pompilous (Diamond Sleet), another North Korean cluster. Pinning specific tools to a single sub-group with certainty is difficult given the tooling overlaps across these clusters, but the broader Lazarus connection is well-supported by the evidence presented.
How the Attack Unfolds
The campaign follows a consistent sequence across the cases reported. Ransomware is the final step, not the central one.
Stage 1: Gaining a Foothold
Comebacker establishes the initial access point. Blindingcan then provides persistent remote control through mechanisms like scheduled tasks, Windows services, or Run key entries. At this point the attacker has a stable, quiet presence inside the environment and begins building from there.
Stage 2: Credential Access
ChromeStealer collects saved passwords from browser storage. Mimikatz extracts credentials directly from Windows memory via LSASS. Those credentials enable lateral movement across the internal network, privilege escalation, and access to systems the attacker could not otherwise reach. This stage sets up everything that follows.
Stage 3: Data Collection and Exfiltration
Infohook collects targeted data from the environment. Curl transfers it out. RP_Proxy masks the outbound traffic. This is where the double extortion material is gathered. By the time ransomware runs, the attacker already has what they need to apply pressure even if the victim restores from backup.
Stage 4: Ransomware Execution
Medusa encrypts files at scale. The victim then faces both a ransom demand and the threat of public data disclosure. The encryption event is visible and disruptive, but the preparatory work across the first three stages is where detection opportunities exist and where the actual leverage is built.
How PAGO MDR Approaches This Type of Campaign
PAGO MDR operates on the premise that attackers change tools and file hashes regularly, but the behavioral sequence of an attack tends to repeat. The detection focus is therefore on the chain of activity, tracked across time and systems, rather than on matching individual indicators.
PAGO MDR uses custom-built correlation rules that tie behavioral signals together into a single incident view when they appear in a defined sequence. The goal is to surface the campaign as it develops, before the encryption stage is reached.
Backdoor and RAT activity signals
New binary creation and execution in user directories, Temp, or ProgramData. Persistence mechanisms being registered (services, scheduled tasks, Run keys). Repeated remote sessions that suggest active command-and-control communication.
Credential access signals
LSASS access or dump attempts consistent with Mimikatz behavior. Chrome credential store access. Admin account logins outside normal hours, or the same account authenticating across many servers in quick succession, which can indicate lateral movement preparation.
Exfiltration signals
High-volume outbound transfers initiated via curl from server environments. Tunneling or proxy traffic consistent with RP_Proxy-class tools. Large-scale file reads from shared folders followed by outbound transfer patterns.
Pre-encryption signals
Rapid, large-scale file modification or extension changes. Unusually high disk I/O. Attempts to disable or modify backup and recovery services.
The correlation logic in practice
When signals like new binary execution, persistence registration, LSASS access, and large outbound transfers occur within a defined time window and in logical sequence, PAGO MDR groups them into a single incident chain. A tool swap or a new hash does not break that grouping, because the detection is built on what the attacker is doing functionally, not on what specific file they used to do it.
The Same Attack Chain Targets Multiple Sectors
This campaign has been reported in the context of U.S. healthcare targets. The attack sequence itself contains no elements that are specific to one sector. The same 4 stage progression from initial access through credential theft, exfiltration, and encryption has appeared in incidents affecting semiconductor manufacturers, chemical companies, energy operators, and financial institutions. Lazarus sub groups tend to select targets based on the value of access, data, or disruption potential, and that evaluation rarely follows industry boundaries.
From a defensive perspective, the sector mentioned in the report is less important than the operational pattern behind the attack. The same behavioral chain can unfold in any environment where credentials, intellectual property, or operational systems hold value. Organizations that focus only on the ransomware payload or on a single indicator often see the attack too late.
Effective detection begins earlier in the sequence. When defenders monitor the progression from foothold activity to credential access, then to data movement and preparation for encryption, they gain the opportunity to disrupt the operation before the final impact occurs. This approach shifts attention away from the name of the ransomware and toward the behavior that consistently precedes it.
For security teams, the lesson is that the same attack chain repeats across sectors, tools change, and the targets vary, but the underlying progression remains recognizable. Detection strategies that follow this progression remain relevant wherever that pattern appears.
Sources
Broadcom / Symantec Threat Hunter Team
BleepingComputer
The Record (Recorded Future News)
The Hacker News
CISA / FBI / MS-ISAC Joint Advisory
BankInfoSecurity
Written by: Siwoo Lee Threat Analyst | DeepACT MDR Center
