Medusa
Medusa is a malware name used in the provided content for multiple distinct threats, most prominently a ransomware family/RaaS operation and also a Linux rootkit; the content additionally references an open-source Mythic agent named Medusa and notes a separate Android banking trojan also called Medusa/TangleBot. The most widely referenced usage in the content is Medusa ransomware. Medusa ransomware was first observed in 2021 and is described as a ransomware-as-a-service operation that commonly uses double extortion for monetary gain. Reporting in the content links Medusa ransomware to financially motivated intrusions and victim extortion events, including claims against organizations such as NASCAR and Insightin Health. The content states that Medusa made headlines in 2023 for incorporating initial access brokers, and another report says Medusa activity was executed by Storm-1175, which weaponized n-day and zero-day vulnerabilities and could move from access to ransomware deployment within 24 hours. Multiple reports associate Medusa ransomware intrusions with defense-evasion tooling: Elastic Security Labs observed a HEARTCRYPT-packed loader deploying the ABYSSWORKER malicious kernel driver in a financially motivated MEDUSA campaign to disable or silence EDR products, and Sophos observed a separate Shanya-packed EDR-killer first deployed in a Medusa attack near the end of April 2025. In one January 2025 case, a suspected SimpleHelp remote-code-execution zero-day led to execution of an EDR killer via JWrapper-Remote Access, followed by Medusa ransomware. Talos also observed a Medusa ransomware engagement in which the adversary used PowerShell 1.0 to add C:\Windows to the victim AV exclusion list. The content also references Medusa as a Linux rootkit: it is described as a powerful, stealthy, versatile, modular rootkit designed to give attackers complete control over Linux systems. Medusa rootkit activity is associated in the content with persistence, credential capture, and unauthorized access, including abuse of dynamic linker hijacking mechanisms such as LD_PRELOAD and PAM-related persistence techniques. Separate reporting cited UNC3886 deploying Linux rootkits including REPTILE and MEDUSA after exploiting vCenter and ESXi vulnerabilities. Because the source material conflates several unrelated malware families under the same name, high-confidence attribution should distinguish Medusa ransomware from the Linux rootkit, the open-source Mythic agent, and the Android banking trojan/TangleBot.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
20 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs. | The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.”
The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.” | In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs.
The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.” | In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs.
Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware.
Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware.
This method was observed in high-tempo operations linked to Medusa affiliates (Storm-1175) and has been adopted by multiple groups deploying Akira and Black Basta payloads.
...the Microsoft Exchange Server deserialization of untrusted data bug, tracked as CVE-2023-21529, was included to the CISA list after being leveraged by Chinese financially motivated threat operation Storm-1175 to spread the Medusa ransomware. | the Microsoft Exchange Server deserialization of untrusted data bug, tracked as CVE-2023-21529, was included to the CISA list after being leveraged by Chinese financially motivated threat operation Storm-1175 to spread the Medusa ransomware.
The flaw in question is CVE-2023-0669, an SQL injection vulnerability that allows remote code execution without authentication. Discovered in February 2023, Fortra released an immediate patch, but attackers continue to exploit it months later. Medusa, an emerging ransomware-as-a-service (RaaS) group... | Medusa, an emerging ransomware-as-a-service (RaaS) group, has been targeting vulnerable Fortra's GoAnywhere MFT systems... Medusa scans the internet for exposed GoAnywhere servers, injecting malicious payloads to encrypt and exfiltrate data.
A notorious group of hackers is currently causing major disruption globally by deploying the devastating Medusa ransomware. | This pace was clear during a recent attack on a SAP NetWeaver system (tracked as CVE-2025-31324). The flaw was announced on April 24, 2025, and by April 25, the group was already using it to launch Medusa ransomware operations.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA). The vulnerability was initially disclosed Feb. 6 and quickly came under attack, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere's Managed File Transfer's (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure. | Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a public disclosure dispute last spring.
Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours. | Other notable flaws exploited by Storm-1175 include ... CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing mass exploitation just days after public disclosure in March 2024.
The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups, including the China-linked Storm-2603. | Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware... Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, often within a few days and, in some cases, within 24 hours.
A notorious group of hackers is currently causing major disruption globally by deploying the devastating Medusa ransomware.
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware. | Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware. | Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-27351 and CVE-2023-27350 (Papercut) | China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.
Groups observed using it
13 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware
The Medusa ransomware activity, executed by the threat actor group Storm-1175, demonstrates a decisive shift toward exploit-centric, high-velocity intrusion models.
Essentially, OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022.
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Medusa made headlines in 2023 for incorporating the use of initial access brokers. IABs are nefarious actors who sell access to networks
Execution
4 techniques
Execution
In a third of ransomware and pre-ransomware engagements this quarter, threat actors leveraged PowerShell 1.0... We observed threat actors leveraging PowerShell 1.0 for both defense evasion and discovery...
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Looking at ransomware brands in our dataset from 2020 to 2025, three brands (LockBit, Medusa, Phobos) and one technique (abuse of native BitLocker encryption) have persisted for the duration.
Dynamic Linker Hijacking occurs when an attacker manipulates the linking process to redirect execution flow. This can involve altering the library search order through LD_PRELOAD, modifying configuration files like /etc/ld.so.conf, or tampering with cached library mappings in /etc/ld.so.cache.
Persistence
5 techniques
Persistence
Medusa made headlines in 2023 for incorporating the use of initial access brokers. IABs are nefarious actors who sell access to networks
PAM Backdoor → Hook libpam authentication system calls for persisting with a hidden root user
Additionally, pre-encryption activities such as credential theft, persistence establishment, and security control disablement indicate a highly automated and repeatable attack lifecycle...
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
PAM provides the essential capability to centralize how secure authentication happens, its flexibility can be abused by attackers to establish persistence through malicious PAM modules. By introducing custom modules or modifying existing configurations, attackers can manipulate authentication flows to capture credentials, manipulate logging to evade detection, grant unauthorized access, or execute malicious code.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
10 techniques
Stealth
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities. The implants helped hide attacker activity, maintain persistence, and support credential theft across compromised systems.
... разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая ... техники обфускации (T1027) ...
Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks... | All other capabilities are identical: file I/O interception, stat hiding, PAM credential capture, TCP port hiding... LD_PRELOAD management, log suppression, and process hiding.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Sometimes that means hiding files or processes. Other times it means suppressing logs, concealing outbound connections, or masking remote access entirely.
File Hiding → Hooks 'stat' and 'readdir' to hide files and directories.
Process Hiding → Hooks rootkit can intercept the 'kill' function to prevent the user from terminating the rootkit process. By hiding itself from the system, the rootkit can remain undetected and achieve persistence on the system.
Dynamic Linker Hijacking occurs when an attacker manipulates the linking process to redirect execution flow. This can involve altering the library search order through LD_PRELOAD, modifying configuration files like /etc/ld.so.conf, or tampering with cached library mappings in /etc/ld.so.cache.
Defense Impairment
2 techniques
Defense Impairment
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
PAM provides the essential capability to centralize how secure authentication happens, its flexibility can be abused by attackers to establish persistence through malicious PAM modules. By introducing custom modules or modifying existing configurations, attackers can manipulate authentication flows to capture credentials, manipulate logging to evade detection, grant unauthorized access, or execute malicious code.
Credential Access
6 techniques
Credential Access
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
Medusa is a fast, parallel, and modular login brute-forcing tool ... used to perform dictionary-based attacks against a variety of protocols and services.
It’s designed to efficiently test combinations of usernames and passwords across a wide range of services and protocols.
Targeting Multiple Hosts medusa -H hosts.txt -u admin -P passwords.txt -M ssh -t 10
Auth Logging → Hooks pam_prompt() , pam_vprompt and pam_syslog to log all successful authentications locally, or remotely via SSH to Medusa home directory
PAM provides the essential capability to centralize how secure authentication happens, its flexibility can be abused by attackers to establish persistence through malicious PAM modules. By introducing custom modules or modifying existing configurations, attackers can manipulate authentication flows to capture credentials, manipulate logging to evade detection, grant unauthorized access, or execute malicious code.
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Exfiltration
1 technique
Exfiltration
Impact
3 techniques
Impact
Shortly after the EDR killer attempt, we observed the following ransomware alert... Ransom note: README_0416f0.txt... The ransomware in this case was RansomHub. We have observed the same sequence of events (EDR Killer -> ransomware) with the following ransomware families...
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.
Other
1 technique
Other
IOCs tracked for this family
91 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
178 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the ransomware operations with which hastalamuerte reportedly had prior experience.
A ransomware-as-a-service scheme cited as one of the RaaS ecosystems whose resources were leveraged by the group during its affiliate phase.
Referenced as a ransomware family whose samples were reverse engineered by The Gentlemen developers to extract useful implementation techniques.
Medusa is referenced as a ransomware sample/source used in development of The Gentlemen encryptor.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.