Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline
Contents
Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline
TL;DR: Two malware samples from the same Hungarian incident responder link the Lazarus Group (DPRK) to the Medusa ransomware operation. Sample 1 (gaze.exe
) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E
) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services. Sample 2 (TSMSISrv.dll
) is a DLL sideloading loader built on the Windows 8 IME SDK with custom AES S-box tables, dual TLS anti-analysis callbacks, and COM hijacking persistence via the SessionEnv service. The 7-month gap between loader compilation (March 2025) and ransomware compilation (October 2025) maps a patient intrusion chain -- persistent access first, extortion second -- and confirms DPRK operators are now working as Medusa RaaS affiliates.
Why This Matters
Lazarus Group has historically deployed its own ransomware …
TL;DR: Two malware samples from the same Hungarian incident responder link the Lazarus Group (DPRK) to the Medusa ransomware operation. Sample 1 (gaze.exe
) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E
) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services. Sample 2 (TSMSISrv.dll
) is a DLL sideloading loader built on the Windows 8 IME SDK with custom AES S-box tables, dual TLS anti-analysis callbacks, and COM hijacking persistence via the SessionEnv service. The 7-month gap between loader compilation (March 2025) and ransomware compilation (October 2025) maps a patient intrusion chain -- persistent access first, extortion second -- and confirms DPRK operators are now working as Medusa RaaS affiliates.
Why This Matters
Lazarus Group has historically deployed its own ransomware …
IoC
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/00b4f860f1798b62b3531f1b4e8bb6e0
https://intel.breakglass.tech
1.0.0.1
82a8292007e682f1a127ba8dcebfae96
447557d5236f1b97be0314b317ca9fff
AEA72DFCF492037A6D15755A74645C7D
60aaafce354ae5e0b8115729464a8b24
aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7
28978e987bc59e75ca22562924eab93355cf679e
00b4f860f1798b62b3531f1b4e8bb6e0
15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
3be2401da21dfed104c9aa52bb620344
655221b6bcad7b5b0b9766142cbc257a
c8040dd3ff2f4afd042efd4ebe1a43c6
53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf
rule Lazarus_TSMSISrv_IME_Loader {
meta:
description = "Detects Lazarus IME SDK-based DLL sideloading loader (TSMSISrv.dll)"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$ime1 = "SampleIME" ascii wide
$ime2 = "The Sample code of Windows 8 IME" ascii wide
$ime3 = "SampleIM.dll" ascii wide
$exp1 = "OnSessionChange" ascii
$exp2 = "StartComponent" ascii
$exp3 = "StopComponent" ascii
$exp4 = "DllRegisterServer" ascii
$rtti1 = "CSampleIME" ascii
$rtti2 = "CCompositionProcessorEngine" ascii
$msft = "MSFT" ascii wide
condition:
uint16(0) == 0x5A4D and
uint16(0x18) != 0x0040 and // Not a .NET assembly
2 of ($ime*) and
3 of ($exp*) and
1 of ($rtti*) and
filesize > 500KB and filesize < 2MB
}
rule Lazarus_Medusa_Campaign_Config {
meta:
description = "Detects XOR-encoded Medusa configuration block with Tor onion addresses"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
strings:
$onion1_xor = { 56 42 5A 4E 66 4A 44 5B } // "xfv4jzck" XOR 0x2E
$tox_marker = "AEA72DFCF492037A6D15755A74645C7D" ascii
$victim_id = "00b4f860f1798b62b3531f1b4e8bb6e0" ascii
condition:
uint16(0) == 0x5A4D and
any of them
}
rule Lazarus_Medusa_Gaze_Ransomware {
meta:
description = "Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path and XOR config"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
reference = "https://intel.breakglass.tech"
strings:
$pdb = "G:\\Medusa\\Release\\gaze.pdb" ascii
$ransom_note = "!!!READ_ME_MEDUSA" ascii wide
$xor_key = { 2E }
$shadow1 = "vssadmin Delete Shadows" ascii wide nocase
$shadow2 = "vssadmin resize shadowstorage" ascii wide nocase
$bcrypt1 = "BCryptImportKeyPair" ascii
$bcrypt2 = "BCryptGenerateSymmetricKey" ascii
$bcrypt3 = "BCryptEncrypt" ascii
$svc1 = "Sophos" ascii wide
$svc2 = "Veeam" ascii wide
$svc3 = "McAfee" ascii wide
$svc4 = "BackupExec" ascii wide
condition:
uint16(0) == 0x5A4D and
($pdb or $ransom_note) and
1 of ($shadow*) and
2 of ($bcrypt*) and
2 of ($svc*)
}
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/00b4f860f1798b62b3531f1b4e8bb6e0
https://intel.breakglass.tech
1.0.0.1
82a8292007e682f1a127ba8dcebfae96
447557d5236f1b97be0314b317ca9fff
AEA72DFCF492037A6D15755A74645C7D
60aaafce354ae5e0b8115729464a8b24
aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7
28978e987bc59e75ca22562924eab93355cf679e
00b4f860f1798b62b3531f1b4e8bb6e0
15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
3be2401da21dfed104c9aa52bb620344
655221b6bcad7b5b0b9766142cbc257a
c8040dd3ff2f4afd042efd4ebe1a43c6
53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf
rule Lazarus_TSMSISrv_IME_Loader {
meta:
description = "Detects Lazarus IME SDK-based DLL sideloading loader (TSMSISrv.dll)"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$ime1 = "SampleIME" ascii wide
$ime2 = "The Sample code of Windows 8 IME" ascii wide
$ime3 = "SampleIM.dll" ascii wide
$exp1 = "OnSessionChange" ascii
$exp2 = "StartComponent" ascii
$exp3 = "StopComponent" ascii
$exp4 = "DllRegisterServer" ascii
$rtti1 = "CSampleIME" ascii
$rtti2 = "CCompositionProcessorEngine" ascii
$msft = "MSFT" ascii wide
condition:
uint16(0) == 0x5A4D and
uint16(0x18) != 0x0040 and // Not a .NET assembly
2 of ($ime*) and
3 of ($exp*) and
1 of ($rtti*) and
filesize > 500KB and filesize < 2MB
}
rule Lazarus_Medusa_Campaign_Config {
meta:
description = "Detects XOR-encoded Medusa configuration block with Tor onion addresses"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
strings:
$onion1_xor = { 56 42 5A 4E 66 4A 44 5B } // "xfv4jzck" XOR 0x2E
$tox_marker = "AEA72DFCF492037A6D15755A74645C7D" ascii
$victim_id = "00b4f860f1798b62b3531f1b4e8bb6e0" ascii
condition:
uint16(0) == 0x5A4D and
any of them
}
rule Lazarus_Medusa_Gaze_Ransomware {
meta:
description = "Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path and XOR config"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
reference = "https://intel.breakglass.tech"
strings:
$pdb = "G:\\Medusa\\Release\\gaze.pdb" ascii
$ransom_note = "!!!READ_ME_MEDUSA" ascii wide
$xor_key = { 2E }
$shadow1 = "vssadmin Delete Shadows" ascii wide nocase
$shadow2 = "vssadmin resize shadowstorage" ascii wide nocase
$bcrypt1 = "BCryptImportKeyPair" ascii
$bcrypt2 = "BCryptGenerateSymmetricKey" ascii
$bcrypt3 = "BCryptEncrypt" ascii
$svc1 = "Sophos" ascii wide
$svc2 = "Veeam" ascii wide
$svc3 = "McAfee" ascii wide
$svc4 = "BackupExec" ascii wide
condition:
uint16(0) == 0x5A4D and
($pdb or $ransom_note) and
1 of ($shadow*) and
2 of ($bcrypt*) and
2 of ($svc*)
}