Home/ Threat Actors/ Medusa

🌐Medusa

🌐 Medusa is a tracked threat actor in the Clankerusecase corpus. Attributed to ??. Primary motivation: Criminal. We map 14 detection use cases to this actor across 35 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-02-12 to 2026-03-19.

crit 2

View full actor card → All threat actors

14Use cases

2Articles

35Techniques

0IOCs

Known aliases

Medusa ransomwareMedusaLocker

Top techniques

T1190 · Exploit Public-Facing Application T1204.002 · Malicious File T1486 · Data Encrypted for Impact

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1014 · Rootkit T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.005 · Indicator Removal from Tools T1027.009 · Embedded Payloads T1037.001 · Logon Script (Windows)T1055 · Process Injection T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1140 · Deobfuscate/Decode Files or Information T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1489 · Service Stop T1490 · Inhibit System Recovery T1543.003 · Windows Service T1562.001 · T1562.001 T1562.004 · T1562.004 T1562.006 · T1562.006 T1562.009 · T1562.009 T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution

Detection use cases (14)

Medusa ransomware BYOVD driver drop (smol.sys/smuol.sys) chained with Defender tampering AI · profile S Medusa pre-encryption cascade: bcdedit/vssadmin recovery sabotage + .medusa or !!!READ_ME_MEDUSA!!! drop AI · profile SΣ BYOVD: Genshin Impact mhyprot.sys driver dropped/loaded outside legitimate game install (Embargo evil-mhyprot-cli) Bespoke EDRSilencer-style WFP filter blocking outbound traffic from named EDR binaries Bespoke EDR-Freeze: WerFaultSecure.exe abused to suspend AV/EDR processes via MiniDumpWriteDump race Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal PowerShell encoded / obfuscated command Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal Article-specific behavioural hunt — EDR killers explained: Beyond the drivers Internal

Threat-intel articles (2)

crit EDR killers explained: Beyond the drivers · 2026-03-19

crit Naming and shaming: How ransomware groups tighten the screws on victims · 2026-02-12