Medusa
Medusa refers to multiple distinct malware families in the provided content, but the dominant and most widely recognized usage is Medusa ransomware. Medusa is described as a ransomware-as-a-service (RaaS) operation first observed in 2021 that commonly uses double extortion. The content states it became prominent in 2023 for incorporating initial access brokers and later showed exploit-centric operations, including activity attributed to Storm-1175 that weaponized n-day and zero-day vulnerabilities and could move from access to ransomware deployment within 24 hours. Reported intrusion tradecraft includes use of PowerShell 1.0 to add C:\Windows to antivirus exclusion lists, compromise of VPN credentials, and exploitation of ConnectWise ScreenConnect flaws CVE-2024-1708 and CVE-2024-1709. Microsoft linked Storm-1175’s exploitation of those ScreenConnect flaws to Medusa ransomware deployment. The ransomware has targeted healthcare organizations and other enterprises; examples in the content include NASCAR, Insightin Health, Pulse Urgent Care Center, and UK organizations via compromised MSPs. One report cited in the content says North Korea’s Lazarus Group deployed Medusa ransomware as an affiliate, with a Medusa builder-produced sample (gaze.exe) containing Tor negotiation infrastructure, a Tox contact, an embedded RSA-2048 public key, commands to delete shadow copies via vssadmin Delete Shadows /all /quiet, encryption of mapped network drives, and a kill list covering security, backup, and database services such as Sophos, McAfee, Veeam, BackupExec, MSSQL, and Oracle-related services. Sandbox findings in that report said the sample renamed more than 10,129 files with the Medusa extension and accessed Chrome, Firefox, and Windows Credential Manager credential stores.
The content also clearly describes a separate Linux rootkit named Medusa. That Medusa is an open-source, modular Linux rootkit published on GitHub in December 2022 and used or repurposed in multiple campaigns, including UNC3886 activity targeting VMware environments after exploitation of vCenter and ESXi vulnerabilities. It is described as a userland/LD_PRELOAD-style rootkit that installs a malicious shared library or dynamic linker to load into processes, hooks numerous libc, PAM, and related functions, hides files, directories, processes, and network activity, and can intercept SSH and sudo authentication to capture credentials. Additional capabilities directly mentioned include a PAM backdoor with configurable credentials, anti-debugging, authentication logging, and persistence via dynamic linker configuration. The content further states that the OrBit Linux rootkit is derived from the publicly available Medusa rootkit, and that fixed artifacts associated with Medusa-derived builds include sshpass.txt, .logpam, and /etc/cron.hourly/0 in some related deployments.
A third distinct malware family in the content is the Medusa Android banking trojan, also known as TangleBot. It is described as an Android malware-as-a-service operation discovered in 2020 and explicitly distinct from both Medusa ransomware and the Linux rootkit. Reported capabilities include keylogging, screen control, SMS manipulation, abuse of Android Accessibility Services, full-screen overlays, screenshot capture, contact-list access, and sending SMS messages. Recent campaigns targeted France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey, and were distributed via smishing and sideloaded dropper apps such as fake Chrome, fake 5G, and fake 4K Sports applications. Cleafy identified 24 campaigns tied to five botnets: UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY.
Because the supplied content conflates these separate malware families under the same name, Medusa should be interpreted carefully in context. The most broadly recognized display name from the aliases and content is simply Medusa, but the content supports at least three distinct usages: Medusa ransomware, Medusa Linux rootkit, and Medusa Android banking trojan/TangleBot.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
20 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs. | The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.”
The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.” | In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs.
The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.” | In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs.
Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware.
Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware.
This method was observed in high-tempo operations linked to Medusa affiliates (Storm-1175) and has been adopted by multiple groups deploying Akira and Black Basta payloads.
...the Microsoft Exchange Server deserialization of untrusted data bug, tracked as CVE-2023-21529, was included to the CISA list after being leveraged by Chinese financially motivated threat operation Storm-1175 to spread the Medusa ransomware. | the Microsoft Exchange Server deserialization of untrusted data bug, tracked as CVE-2023-21529, was included to the CISA list after being leveraged by Chinese financially motivated threat operation Storm-1175 to spread the Medusa ransomware.
The flaw in question is CVE-2023-0669, an SQL injection vulnerability that allows remote code execution without authentication. Discovered in February 2023, Fortra released an immediate patch, but attackers continue to exploit it months later. Medusa, an emerging ransomware-as-a-service (RaaS) group... | Medusa, an emerging ransomware-as-a-service (RaaS) group, has been targeting vulnerable Fortra's GoAnywhere MFT systems... Medusa scans the internet for exposed GoAnywhere servers, injecting malicious payloads to encrypt and exfiltrate data.
A notorious group of hackers is currently causing major disruption globally by deploying the devastating Medusa ransomware. | This pace was clear during a recent attack on a SAP NetWeaver system (tracked as CVE-2025-31324). The flaw was announced on April 24, 2025, and by April 25, the group was already using it to launch Medusa ransomware operations.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA). The vulnerability was initially disclosed Feb. 6 and quickly came under attack, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere's Managed File Transfer's (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure. | Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a public disclosure dispute last spring.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Other notable flaws exploited by Storm-1175 include ... CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing mass exploitation just days after public disclosure in March 2024.
The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups, including the China-linked Storm-2603. | Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours.
A notorious group of hackers is currently causing major disruption globally by deploying the devastating Medusa ransomware.
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware. | Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware. | Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-27351 and CVE-2023-27350 (Papercut) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware
The Medusa ransomware activity, executed by the threat actor group Storm-1175, demonstrates a decisive shift toward exploit-centric, high-velocity intrusion models.
Essentially, OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022.
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Comcast Corporation had 186.36 GB of compressed data, amounting to 834 GB of stolen information, exposed by the Medusa ransomware gang following its refusal to pay the $1.2 million ransom demand.
Windows System Network Config Discovery Display DNS ... Medusa Ransomware, Windows Post-Exploitation, Prestige Ransomware, Water Gamayun
Associated Analytic Story BlackByte Ransomware Clop Ransomware Crypto Stealer Hellcat Ransomware Interlock Ransomware LockBit Ransomware Medusa Ransomware NailaoLocker Ransomware Rhysida Ransomware Snake Keylogger Termite Ransomware
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesMedusa made headlines in 2023 for incorporating the use of initial access brokers. IABs are nefarious actors who sell access to networks
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
The Medusa ransomware activity, executed by the threat actor group Storm-1175, demonstrates a decisive shift toward exploit-centric, high-velocity intrusion models. Unlike traditional ransomware operations that rely on phishing...
Execution
3 techniquesIn a third of ransomware and pre-ransomware engagements this quarter, threat actors leveraged PowerShell 1.0... We observed threat actors leveraging PowerShell 1.0 for both defense evasion and discovery...
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
5 techniquesMedusa made headlines in 2023 for incorporating the use of initial access brokers. IABs are nefarious actors who sell access to networks
PAM Backdoor → Hook libpam authentication system calls for persisting with a hidden root user
Additionally, pre-encryption activities such as credential theft, persistence establishment, and security control disablement indicate a highly automated and repeatable attack lifecycle...
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
Privilege Escalation
1 techniqueStealth
10 techniquesResearchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities. The implants helped hide attacker activity, maintain persistence, and support credential theft across compromised systems.
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks... | All other capabilities are identical: file I/O interception, stat hiding, PAM credential capture, TCP port hiding... LD_PRELOAD management, log suppression, and process hiding.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Sometimes that means hiding files or processes. Other times it means suppressing logs, concealing outbound connections, or masking remote access entirely.
File Hiding → Hooks 'stat' and 'readdir' to hide files and directories.
Process Hiding → Hooks rootkit can intercept the 'kill' function to prevent the user from terminating the rootkit process. By hiding itself from the system, the rootkit can remain undetected and achieve persistence on the system.
Defense Impairment
2 techniquesAuth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
Credential Access
7 techniquesAuth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
Medusa is a fast, parallel, and modular login brute-forcing tool ... used to perform dictionary-based attacks against a variety of protocols and services.
It’s designed to efficiently test combinations of usernames and passwords across a wide range of services and protocols.
Targeting Multiple Hosts medusa -H hosts.txt -u admin -P passwords.txt -M ssh -t 10
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
PAM Backdoor → Hook libpam authentication system calls for persisting with a hidden root user
Auth Logging → Hooks pam_prompt(), pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
Discovery
3 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 techniqueCollection
1 techniqueExfiltration
1 techniquecybercriminal gang Medusa on its dark website in early February claimed to have exfiltrated 212 gigabytes of data from SimonMed's IT systems
Impact
3 techniquesThe Russian-speaking Medusa group, which typically uses triple extortion attacks to pressure victims into paying the ransom, has been the subject of government and healthcare industry warnings.
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.
System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.
Other
2 techniquesIOCs tracked for this family
77 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
168 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux rootkit used to hide attacker activity, maintain persistence, and support credential theft on compromised systems, including VMware environments.
Named ransomware referenced in related context as being used to target healthcare organizations.
Publicly available Linux rootkit codebase from which OrBit was built. Operators modified configuration elements such as passwords and install paths rather than creating wholly original malware.
Ransomware operated through rapid exploit-driven intrusions, chaining n-day and zero-day vulnerabilities and moving from access to deployment within 24 hours.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.