Threat Actor Profile
High APT
Description

Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. (Citation: Security Scorecard Medusa Ransomware January 2024) For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. (Citation: Intel471 Medusa Ransomware May 2025)

Confidence Score
90%
Known Aliases
Medusa Group
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (57)
T1071.001 - Web Protocols
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219 - Remote Access Tools
Command and Control
T1573.002 - Asymmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.003 - NTDS
Credential Access
T1027.002 - Software Packing
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1218.014 - MMC
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.003 - Impair Command History Logging
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1135 - Network Share Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1652 - Device Driver Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1072 - Software Deployment Tools
Execution
T1106 - Native API
Execution
T1559.001 - Component Object Model
Execution
T1569.002 - Service Execution
Execution
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1489 - Service Stop
Impact
T1490 - Inhibit System Recovery
Impact
T1529 - System Shutdown/Reboot
Impact
T1657 - Financial Theft
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1136.002 - Domain Account
Persistence
T1505.003 - Web Shell
Persistence
T1543.003 - Windows Service
Persistence
T1548.002 - Bypass User Account Control
Privilege Escalation
T1583.006 - Web Services
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1588.002 - Tool
Resource Development
T1608.002 - Upload Tool
Resource Development
T1650 - Acquire Access
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Medusa Group'],
 'created': '2025-10-15T18:54:55.000Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Medusa Group](https://attack.mitre.org/groups/G1051) has '
                'been active since at least 2021 and was initially operated as '
                'a closed ransomware group before evolving into a '
                'Ransomware-as-a-Service (RaaS) operation. Some reporting '
                'indicates that certain attacks may still be conducted '
                'directly by the ransomware’s core developers. Public sources '
                'have also referred to the group as “Spearwing” or “Medusa '
                'Actors.” (Citation: CISA Medusa Group Medusa Ransomware March '
                '2025) (Citation: Broadcom Medusa Ransomware Medusa Group '
                'March 2025) [Medusa '
                'Group](https://attack.mitre.org/groups/G1051) employs '
                'living-off-the-land techniques, frequently leveraging '
                'publicly available tools and common remote management '
                'software to conduct operations. The group engages in double '
                'extortion tactics, exfiltrating data prior to encryption and '
                'threatening to publish stolen information if ransom demands '
                'are not met. (Citation: Security Scorecard Medusa Ransomware '
                'January 2024) For initial access, [Medusa '
                'Group](https://attack.mitre.org/groups/G1051) has exploited '
                'publicly known vulnerabilities, conducted phishing campaigns, '
                'and used credentials or access purchased from Initial Access '
                'Brokers (IABs). The group is opportunistic and has targeted a '
                'wide range of sectors globally. (Citation: Intel471 Medusa '
                'Ransomware May 2025)',
 'external_references': [{'external_id': 'G1051',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1051'},
                         {'description': 'Cybersecurity and Infrastructure '
                                         'Security Agency. (2025, March 12). '
                                         'AA25-071A #StopRansomware: Medusa '
                                         'Ransomware. Retrieved October 15, '
                                         '2025.',
                          'source_name': 'CISA Medusa Group Medusa Ransomware '
                                         'March 2025',
                          'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a'},
                         {'description': 'Intel471. (2025, May 14). Threat '
                                         'hunting case study: Medusa '
                                         'ransomware. Retrieved October 15, '
                                         '2025.',
                          'source_name': 'Intel471 Medusa Ransomware May 2025',
                          'url': 'https://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware'},
                         {'description': 'Threat Hunter Team Symantec and '
                                         'Carbon Black. (2025, March 6). '
                                         'Medusa Ransomware Activity Continues '
                                         'to Increase. Retrieved October 15, '
                                         '2025.',
                          'source_name': 'Broadcom Medusa Ransomware Medusa '
                                         'Group March 2025',
                          'url': 'https://www.security.com/threat-intelligence/medusa-ransomware-attacks'},
                         {'description': 'Vlad Pasca. (2024, January 1). A '
                                         'Deep Dive into Medusa Ransomware. '
                                         'Retrieved October 15, 2025.',
                          'source_name': 'Security Scorecard Medusa Ransomware '
                                         'January 2024',
                          'url': 'https://securityscorecard.com/wp-content/uploads/2024/01/deep-dive-into-medusa-ransomware.pdf'}],
 'id': 'intrusion-set--918da025-04bd-48af-b6c4-f3e4d1b915eb',
 'modified': '2025-10-24T04:01:48.210Z',
 'name': 'Medusa Group',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (57)
Web Protocols
Command and Control
Multi-hop Proxy
Command and Control
Ingress Tool Transfer
Command and Control
Remote Access Tools
Command and Control
Asymmetric Cryptography
Command and Control
View All 57 TTPs
Back to Threat Actors
Dashboard Home