Skip to main content
Mallory
Back to threat actors
8 malware familiesExploits CVEs in the wild

Medusa Group

Also known asmedusamedusa_groupmedusa_ransomwaremedusa_ransomware_group

Medusa is a cybercrime ransomware group and ransomware-as-a-service (RaaS) operation first observed in 2021. The group is described as often using double extortion for monetary gain. Reported victim claims in the provided content include SimonMed Imaging, NASCAR, Insightin Health, and Pulse Urgent Care Center. Known aliases in the content include medusa, medusa_group, medusa_ransomware, and medusa_ransomware_group. The group’s observed tradecraft includes use of HTTPS for command and control, TOR nodes for communications, and reverse or bind shells over port 443. It has used Windows Command Prompt/cmd.exe to control and execute commands, including ingress, network, filesystem, and system enumeration, with examples such as "cmd.exe /c systeminfo". Medusa Group has used RDP for lateral movement and data exfiltration, including mstsc.exe with the format "mstsc.exe /v:{hostname/ip}". For discovery, it has leveraged RMM services and publicly available tools including Advanced IP Scanner and SoftPerfect Network Scanner for user, system, network, hostname, and network service discovery. For command and control and defense evasion, the content notes use of tunneling tools Ligolo and Cloudflared. Additional behaviors directly mentioned in the content include modifying Windows Registry keys to elevate privileges, maintain persistence, and allow remote access; deleting previously installed tools; exfiltrating data to cloud storage using Rclone; and utilizing a hard-coded security tool process list to identify and terminate processes via undocumented IOCTL code 0x222094.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

62 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics93 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
3 techniques
T1587
Develop Capabilities
T1587.001
Malware
T1588
Obtain Capabilities
T1588.002×2
Tool
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1190
Exploit Public-Facing Application
TA0002
Execution
7 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×4
PowerShell
T1059.003×3
Windows Command Shell
T1072×2
Software Deployment Tools
T1129
Shared Modules
T1569
System Services
T1569.002
Service Execution
T1574×2
Hijack Execution Flow
TA0003
Persistence
7 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078
Valid Accounts
T1112×3
Modify Registry
T1133
External Remote Services
T1505
Server Software Component
T1505.003×3
Web Shell
T1505.004
IIS Components
T1542
Pre-OS Boot
T1542.001
System Firmware
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1068×3
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
T1548
Abuse Elevation Control Mechanism
T1548.002×2
Bypass User Account Control
TA0005
Stealth
7 techniques
T1027
Obfuscated Files or Information
T1027.002
Software Packing
T1070
Indicator Removal
T1070.004×3
File Deletion
T1070.009
Clear Persistence
T1078
Valid Accounts
T1218
System Binary Proxy Execution
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1542
Pre-OS Boot
T1542.001
System Firmware
T1574×2
Hijack Execution Flow
TA0112
Defense Impairment
2 techniques
T1112×3
Modify Registry
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
1 technique
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1003.003
NTDS
TA0007
Discovery
10 techniques
T1007
System Service Discovery
T1012
Query Registry
T1016
System Network Configuration Discovery
T1018×4
Remote System Discovery
T1033
System Owner/User Discovery
T1046
Network Service Discovery
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1082×2
System Information Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
3 techniques
T1021
Remote Services
T1021.001×3
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
T1072×2
Software Deployment Tools
T1210
Exploitation of Remote Services
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.001×3
Web Protocols
T1090
Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
T1572
Protocol Tunneling
T1573
Encrypted Channel
TA0010
Exfiltration
2 techniques
T1048
Exfiltration Over Alternative Protocol
T1567×2
Exfiltration Over Web Service
T1567.002×3
Exfiltration to Cloud Storage
TA0040
Impact
4 techniques
T1485
Data Destruction
T1486×7
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1657
Financial Theft
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026
MedusaAssociated Analytic Story BlackByte Ransomware Clop Ransomware Crypto Stealer Hellcat Ransomware Interlock Ransomware LockBit Ransomware Medusa Ransomware NailaoLocker Ransomware Rhysida Ransomware Snake Keylogger Termite Ransomware2Mar 17, 2026
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026
PsExecThe following analytic identifies instances where PsExec.exe has been renamed and executed on an endpoint. ... renaming PsExec.exe is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.1Mar 17, 2026

3 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

14 CVEs this actor has used in observed campaigns. 14 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

9 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

49 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

49 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
cyfirma otherNews
May 15, 2026
TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

A ransomware operation carried out by Storm-1175, characterized by exploit-driven initial access, rapid deployment, and compressed intrusion-to-impact timelines.

Read more
checkpoint research blogNews
May 11, 2026
The State of Ransomware - Q1 2026 - Check Point Research

Named ransomware operation referenced as a prior affiliate destination for the actor who later founded The Gentlemen.

Read more
polyswarmNews
May 4, 2026
Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Ransomware group targeting healthcare with double extortion and public leak pressure.

Read more
cyber security newsNews
Apr 28, 2026
Windows Remote Desktop Leaves Behind Image Fragments Attackers Can Stitch Into Screenshots

Frequently exploits RDP access and can use the default Windows RDP bitmap cache as a reconnaissance source during intrusions.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping62

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs14

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables49

Domains, IPs, and hashes tied to this actor, refreshed continuously.