Threat Actor Profile
Critical
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (19)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2023-01-11T15:05:52.348863+00:00',
'group': 'medusa',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-02-13T07:04:35+00:00',
'locations': [{'available': False,
'fqdn': 'dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion',
'slug': 'http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion',
'title': '503 Service Temporarily Unavailable',
'type': 'DLS'},
{'available': False,
'fqdn': 'kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion',
'slug': 'http://kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion',
'slug': 'http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion',
'slug': 'http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion',
'title': 'Medusa Chat',
'type': 'Chat'},
{'available': True,
'fqdn': 'xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion',
'slug': 'http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion',
'slug': 'http://hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': '45.9.148.39',
'slug': 'http://45.9.148.39:8001',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion',
'slug': 'http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 's7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion',
'slug': 'http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion',
'title': 'Human Verify',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion',
'slug': 'http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion',
'title': '503 Service Temporarily '
'Unavailable',
'type': 'DLS'},
{'available': False,
'fqdn': 'kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion',
'slug': 'http://kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion',
'slug': 'http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion',
'slug': 'http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion',
'title': 'Medusa Chat',
'type': 'Chat'},
{'available': True,
'fqdn': 'xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion',
'slug': 'http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 'hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion',
'slug': 'http://hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': '45.9.148.39',
'slug': 'http://45.9.148.39:8001',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion',
'slug': 'http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': 's7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion',
'slug': 'http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion',
'title': 'Human Verify',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'ransomware_live_group': 'medusa',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['EDRSandBlast',
'KillAV',
'ThrottleStop driver'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Navicat',
'PDQ Inventory',
'RoboCopy',
'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': ['BITSAdmin',
'Process Explorer',
'PsExec'],
'Networking': ['Cloudflared',
'FRP',
'Ligolo',
'PuTTY',
'RevSocks'],
'Offsec': [],
'RMM-Tools': ['AnyDesk',
'Atera',
'eHorus',
'HCL BigFix',
'N-Able',
'PDQ Deploy',
'ScreenConnect',
'SimpleHelp',
'Splashtop']},
'url': 'https://www.ransomware.live/group/medusa',
'victims': 517,
'vulnerabilities': [{'CVE': 'CVE-2024-57727',
'CVSS': 7.5,
'Product': 'SimpleHelp RMM',
'Vendor': 'SimpleHelp',
'severity': 'HIGH'}]},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['EDRSandBlast', 'KillAV', 'ThrottleStop driver'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Navicat',
'PDQ Inventory',
'RoboCopy',
'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': ['BITSAdmin', 'Process Explorer', 'PsExec'],
'Networking': ['Cloudflared', 'FRP', 'Ligolo', 'PuTTY', 'RevSocks'],
'Offsec': [],
'RMM-Tools': ['AnyDesk',
'Atera',
'eHorus',
'HCL BigFix',
'N-Able',
'PDQ Deploy',
'ScreenConnect',
'SimpleHelp',
'Splashtop']},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Initial access through brute '
'force or compromised '
'credentials of legitimate RDP '
'accounts.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'},
{'technique_details': 'Initial access through '
'phishing email attachments.',
'technique_id': 'T1566',
'technique_name': 'Phishing'},
{'technique_details': "Accesses the victim's network "
'via an RDP service.',
'technique_id': 'T1133',
'technique_name': 'External Remote Services'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Uses a series of Windows '
'commands, such as bcdedit.exe '
'and vssadmin.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_details': 'Uses a series of Windows '
'commands, such as bcdedit.exe '
'and vssadmin.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Employs Windows Management '
'Instrumentation (WMIC) '
'command-line to delete shadow '
'copies.',
'technique_id': 'T1562',
'technique_name': 'Impair Defenses'},
{'technique_details': 'Terminates services or '
'processes related to '
'antivirus/security tools.',
'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'},
{'technique_details': 'Abuses Safe Mode to evade '
'endpoint detection.',
'technique_id': 'T1562.009',
'technique_name': 'Safe Mode Boot'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Uses brute force on local RDP '
'account passwords.',
'technique_id': 'T1110',
'technique_name': 'Brute Force'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Queries specified files, '
'folders, and file extensions.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_details': 'Enumerates network shares.',
'technique_id': 'T1135',
'technique_name': 'Network Share Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Uses remote services for '
'login and lateral movement '
'via RDP and SMB.',
'technique_id': 'T1021',
'technique_name': 'Remote Services'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Uses certutil to download '
'malicious files.',
'technique_id': 'T1105',
'technique_name': 'Ingress Tool Transfer'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Transfers data to '
'attacker-controlled servers '
'via an existing '
'command-and-control (C2) '
'channel.',
'technique_id': 'T1045',
'technique_name': 'Exfiltration Over C2 Channel'},
{'technique_details': 'Exfiltrates data using web '
'services like cloud services '
'(e.g., Google Drive, Dropbox, '
'etc.).',
'technique_id': 'T1567',
'technique_name': 'Exfiltration Over Web Service'},
{'technique_details': 'Exfiltrates data using '
'alternative protocols, such '
'as FTP/SFTP, to avoid '
'detection by traditional '
'methods.',
'technique_id': 'T1048',
'technique_name': 'Exfiltration Over Alternative '
'Protocol'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Deletes shadow copies and '
'disables the Windows System '
'Restore feature.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_details': 'Terminates processes and '
'services related to database '
'servers, email servers, and '
'backups.',
'technique_id': 'T1489',
'technique_name': 'Service Stop'},
{'technique_details': 'Uses the AES-256 algorithm to '
'encrypt files on the '
'computer.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/medusa',
'victims': 517,
'vulnerabilities': [{'CVE': 'CVE-2024-57727',
'CVSS': 7.5,
'Product': 'SimpleHelp RMM',
'Vendor': 'SimpleHelp',
'severity': 'HIGH'}]}