Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Medusa Group

🌐Medusa Group

🌐 Medusa Group is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 57 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1051) ↗
14Use cases
0Articles
57Techniques
0IOCs

About this actor (MITRE)

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-o

Known aliases

Medusa Group

Top techniques

T1003.001 · LSASS MemoryT1003.003 · NTDST1016 · System Network Configuration Discovery

All other tracked techniques

T1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1027.002 · Software PackingT1027.010 · Command ObfuscationT1033 · System Owner/User DiscoveryT1046 · Network Service DiscoveryT1047 · Windows Management InstrumentationT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1069.002 · Domain GroupsT1070.003 · Clear Command HistoryT1070.004 · File DeletionT1071.001 · Web ProtocolsT1072 · Software Deployment ToolsT1078 · Valid AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1090.003 · Multi-hop ProxyT1105 · Ingress Tool TransferT1106 · Native APIT1112 · Modify RegistryT1135 · Network Share DiscoveryT1136.002 · Domain AccountT1190 · Exploit Public-Facing ApplicationT1218.014 · MMCT1219 · Remote Access ToolsT1486 · Data Encrypted for ImpactT1489 · Service StopT1490 · Inhibit System RecoveryT1505.003 · Web ShellT1518.001 · Security Software DiscoveryT1529 · System Shutdown/RebootT1543.003 · Windows ServiceT1548.002 · Bypass User Account ControlT1553.002 · Code SigningT1559.001 · Component Object ModelT1564.003 · Hidden WindowT1567.002 · Exfiltration to Cloud StorageT1569.002 · Service ExecutionT1570 · Lateral Tool TransferT1573.002 · Asymmetric CryptographyT1583.006 · Web ServicesT1585.001 · Social Media AccountsT1585.002 · Email AccountsT1588.002 · ToolT1608.002 · Upload ToolT1650 · Acquire AccessT1652 · Device Driver DiscoveryT1657 · Financial TheftT1685 · Disable or Modify ToolsT1686 · Disable or Modify System FirewallT1690 · Prevent Command History Logging

Detection use cases (14)

Medusa Group BYOVD KillAV chain — kernel-driver service install + EDR/AV process termination (gaze.exe / abdullah.exe) AI · profile S Medusa Group rclone / MEGAcmd staged exfiltration to mega.nz before encryption AI · profile SΣ 1Password activity from Tor exit node MITRE match 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match