When Nation-States Become Ransomware Affiliates: Lazarus Group Deploys Medusa via a Custom IME-Based Loader
Contents
When Nation-States Become Ransomware Affiliates: Lazarus Group Deploys Medusa via a Custom IME-Based Loader
Published: 2026-03-09 | Author: BGI | Classification: TLP:CLEAR
TL;DR
Two malware samples recovered from the same Hungarian incident -- a Medusa ransomware binary (gaze.exe
) and a custom DLL sideloading loader (TSMSISrv.dll
) -- provide concrete evidence that the Lazarus Group (DPRK) is operating as an affiliate of the Medusa ransomware-as-a-service program. The loader, built on the Windows 8 IME SDK with custom AES tables and dual TLS anti-analysis callbacks, was compiled seven months before the ransomware -- mapping a patient intrusion chain where Lazarus established persistent SYSTEM-level access first and deployed extortion payloads second. The two samples were compiled with different Visual Studio versions (VS2019 vs VS2022) on different architectures (x86 vs x64), strongly suggesting the ransomware came from the Medusa builder toolkit while the loader was developed in-house. This is not Lazarus building their own ransomware. This is Lazarus …
Published: 2026-03-09 | Author: BGI | Classification: TLP:CLEAR
TL;DR
Two malware samples recovered from the same Hungarian incident -- a Medusa ransomware binary (gaze.exe
) and a custom DLL sideloading loader (TSMSISrv.dll
) -- provide concrete evidence that the Lazarus Group (DPRK) is operating as an affiliate of the Medusa ransomware-as-a-service program. The loader, built on the Windows 8 IME SDK with custom AES tables and dual TLS anti-analysis callbacks, was compiled seven months before the ransomware -- mapping a patient intrusion chain where Lazarus established persistent SYSTEM-level access first and deployed extortion payloads second. The two samples were compiled with different Visual Studio versions (VS2019 vs VS2022) on different architectures (x86 vs x64), strongly suggesting the ransomware came from the Medusa builder toolkit while the loader was developed in-house. This is not Lazarus building their own ransomware. This is Lazarus …
IoC
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/00b4f860f1798b62b3531f1b4e8bb6e0
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion
https://intel.breakglass.tech
1.0.0.1
447557d5236f1b97be0314b317ca9fff
82a8292007e682f1a127ba8dcebfae96
AEA72DFCF492037A6D15755A74645C7D
60aaafce354ae5e0b8115729464a8b24
aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7
28978e987bc59e75ca22562924eab93355cf679e
00b4f860f1798b62b3531f1b4e8bb6e0
15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
3be2401da21dfed104c9aa52bb620344
655221b6bcad7b5b0b9766142cbc257a
c8040dd3ff2f4afd042efd4ebe1a43c6
53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf
rule Lazarus_Medusa_Campaign_XOR_Config {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects XOR-encoded Medusa configuration block with known Tor onion patterns and campaign identifiers"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$onion1_xor = { 56 42 5A 4E 66 4A 44 5B } // "xfv4jzck" XOR 0x2E
$tox_marker = "AEA72DFCF492037A6D15755A74645C7D" ascii
$victim_id = "00b4f860f1798b62b3531f1b4e8bb6e0" ascii
condition:
uint16(0) == 0x5A4D and
any of them
}
rule Lazarus_TSMSISrv_IME_Loader {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects Lazarus IME SDK-based DLL sideloading loader via IME version strings, expected exports, and RTTI class names"
hash = "aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$ime1 = "SampleIME" ascii wide
$ime2 = "The Sample code of Windows 8 IME" ascii wide
$ime3 = "SampleIM.dll" ascii wide
$exp1 = "OnSessionChange" ascii
$exp2 = "StartComponent" ascii
$exp3 = "StopComponent" ascii
$exp4 = "DllRegisterServer" ascii
$rtti1 = "CSampleIME" ascii
$rtti2 = "CCompositionProcessorEngine" ascii
$msft = "MSFT" ascii wide
condition:
uint16(0) == 0x5A4D and
uint16(0x18) != 0x0040 and // Not a .NET assembly
2 of ($ime*) and
3 of ($exp*) and
1 of ($rtti*) and
filesize > 500KB and filesize < 2MB
}
rule Lazarus_Medusa_Gaze_Ransomware {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path, XOR config, and BCrypt encryption imports"
hash = "15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
reference = "https://intel.breakglass.tech"
strings:
$pdb = "G:\\Medusa\\Release\\gaze.pdb" ascii
$ransom_note = "!!!READ_ME_MEDUSA" ascii wide
$shadow1 = "vssadmin Delete Shadows" ascii wide nocase
$shadow2 = "vssadmin resize shadowstorage" ascii wide nocase
$bcrypt1 = "BCryptImportKeyPair" ascii
$bcrypt2 = "BCryptGenerateSymmetricKey" ascii
$bcrypt3 = "BCryptEncrypt" ascii
$svc1 = "Sophos" ascii wide
$svc2 = "Veeam" ascii wide
$svc3 = "McAfee" ascii wide
$svc4 = "BackupExec" ascii wide
condition:
uint16(0) == 0x5A4D and
($pdb or $ransom_note) and
1 of ($shadow*) and
2 of ($bcrypt*) and
2 of ($svc*)
}
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion
http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/00b4f860f1798b62b3531f1b4e8bb6e0
http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion
https://intel.breakglass.tech
1.0.0.1
447557d5236f1b97be0314b317ca9fff
82a8292007e682f1a127ba8dcebfae96
AEA72DFCF492037A6D15755A74645C7D
60aaafce354ae5e0b8115729464a8b24
aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7
28978e987bc59e75ca22562924eab93355cf679e
00b4f860f1798b62b3531f1b4e8bb6e0
15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
3be2401da21dfed104c9aa52bb620344
655221b6bcad7b5b0b9766142cbc257a
c8040dd3ff2f4afd042efd4ebe1a43c6
53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf
rule Lazarus_Medusa_Campaign_XOR_Config {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects XOR-encoded Medusa configuration block with known Tor onion patterns and campaign identifiers"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$onion1_xor = { 56 42 5A 4E 66 4A 44 5B } // "xfv4jzck" XOR 0x2E
$tox_marker = "AEA72DFCF492037A6D15755A74645C7D" ascii
$victim_id = "00b4f860f1798b62b3531f1b4e8bb6e0" ascii
condition:
uint16(0) == 0x5A4D and
any of them
}
rule Lazarus_TSMSISrv_IME_Loader {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects Lazarus IME SDK-based DLL sideloading loader via IME version strings, expected exports, and RTTI class names"
hash = "aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$ime1 = "SampleIME" ascii wide
$ime2 = "The Sample code of Windows 8 IME" ascii wide
$ime3 = "SampleIM.dll" ascii wide
$exp1 = "OnSessionChange" ascii
$exp2 = "StartComponent" ascii
$exp3 = "StopComponent" ascii
$exp4 = "DllRegisterServer" ascii
$rtti1 = "CSampleIME" ascii
$rtti2 = "CCompositionProcessorEngine" ascii
$msft = "MSFT" ascii wide
condition:
uint16(0) == 0x5A4D and
uint16(0x18) != 0x0040 and // Not a .NET assembly
2 of ($ime*) and
3 of ($exp*) and
1 of ($rtti*) and
filesize > 500KB and filesize < 2MB
}
rule Lazarus_Medusa_Gaze_Ransomware {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path, XOR config, and BCrypt encryption imports"
hash = "15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
reference = "https://intel.breakglass.tech"
strings:
$pdb = "G:\\Medusa\\Release\\gaze.pdb" ascii
$ransom_note = "!!!READ_ME_MEDUSA" ascii wide
$shadow1 = "vssadmin Delete Shadows" ascii wide nocase
$shadow2 = "vssadmin resize shadowstorage" ascii wide nocase
$bcrypt1 = "BCryptImportKeyPair" ascii
$bcrypt2 = "BCryptGenerateSymmetricKey" ascii
$bcrypt3 = "BCryptEncrypt" ascii
$svc1 = "Sophos" ascii wide
$svc2 = "Veeam" ascii wide
$svc3 = "McAfee" ascii wide
$svc4 = "BackupExec" ascii wide
condition:
uint16(0) == 0x5A4D and
($pdb or $ransom_note) and
1 of ($shadow*) and
2 of ($bcrypt*) and
2 of ($svc*)
}