Threat Actor Profile
Medium
Cybercriminal
Description
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Medusa is a DDoS bot written in .NET 2.0. In its current '
'incarnation its C&C protocol is based on HTTP, while its '
'predecessor made use of IRC.\n',
'firstseen': '2021-11-03T01:27:43+00:00',
'group': 'medusalocker',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-11-17T23:12:26+00:00',
'locations': [{'available': False,
'fqdn': 'z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion',
'slug': 'http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion',
'title': 'Ransomware blog – We will not give ourselves a name. '
'Just watch out for the leakage of your data:)',
'type': 'DLS'},
{'available': False,
'fqdn': 'qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion',
'slug': 'https://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion',
'slug': 'http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': '95.143.191.148:3000',
'slug': 'http://95.143.191.148:3000/',
'title': 'Medusa Chat',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion',
'slug': 'http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion',
'title': 'Ransomware blog – We will not '
'give ourselves a name. Just '
'watch out for the leakage of '
'your data:)',
'type': 'DLS'},
{'available': False,
'fqdn': 'qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion',
'slug': 'https://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion',
'slug': 'http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/',
'title': 'Human Verify',
'type': 'DLS'},
{'available': False,
'fqdn': '95.143.191.148:3000',
'slug': 'http://95.143.191.148:3000/',
'title': 'Medusa Chat',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'medusalocker',
'tools': {'CredentialTheft': ['Invoke-TheHash',
'Mimikatz'],
'DefenseEvasion': ['HRSword',
'PCHunter',
'ProcessHacker'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Advanced Port Scanner',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['Remote Desktop Plus (RDP+)']},
'url': 'https://www.ransomware.live/group/medusalocker',
'victims': 51,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Invoke-TheHash', 'Mimikatz'],
'DefenseEvasion': ['HRSword', 'PCHunter', 'ProcessHacker'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Advanced Port Scanner',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['Remote Desktop Plus (RDP+)']},
'ttps': [],
'url': 'https://www.ransomware.live/group/medusalocker',
'victims': 51,
'vulnerabilities': []}