ZeroFox Intelligence Flash Report - North Korean Threat Actor Revealed as Medusa Affiliate

Product Serial: F-2026-02-27a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on North Korean state-sponsored threat actor Lazarus Group deploying Medusa ransomware in an effort to conceal financially motivated operations behind an established ransomware brand.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

On February 24, 2026, North Korean threat actor “Lazarus Group” reportedly widely deployed Medusa ransomware in a series of attempted attacks against healthcare organizations. These attacks indicate that state-sponsored threat actors are almost certainly using cybercrime infrastructure to generate revenue for the North Korean government.
By combining with Medusa, Lazarus Group has likely gained access to an established ransomware infrastructure with which to conduct financially motivated attacks. However, Medusa is an independent threat actor, and not all Medusa ransomware-as-as-service (RaaS) attacks should be attributed to Lazarus Group.
Lazarus Group’s deployment of Medusa RaaS likely indicates the collective is seeking to improve the operational security of its financially motivated attacks by concealing its activities behind the established brand of the Medusa RaaS operation.
Given the group’s history of conducting state-sponsored attacks that advance North Korean government objectives, it is very likely their financially motivated operations are intended to generate revenue for the communist regime in Pyongyang.