criticalAPT

Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline

PublishedMarch 12, 2026

Threat Actors:APT38APT45ProfileAssessmentTimeline

aptdll-sideloadingc2ransomwaresupply-chain

TL;DR: Two malware samples from the same Hungarian incident responder link the Lazarus Group (DPRK) to the Medusa ransomware operation. Sample 1 (gaze.exe) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services. Sample 2 (TSMSISrv.dll) is a DLL sideloading loader built on the Windows 8 IME SDK with custom AES S-box tables, dual TLS anti-analysis callbacks, and COM hijacking persistence via the SessionEnv service. The 7-month gap between loader compilation (March 2025) and ransomware compilation (October 2025) maps a patient intrusion chain -- persistent access first, extortion second -- and confirms DPRK operators are now working as Medusa RaaS affiliates.

Why This Matters

Lazarus Group has historically deployed its own ransomware families -- Maui, H0lyGh0st, and WannaCry. This investigation provides the first concrete evidence of Lazarus operating as an affiliate of the Medusa ransomware-as-a-service program, a commercially operated extortion platform attributed to the cybercrime group "Spearwing." The PDB path G:\Medusa\Release\gaze.pdb embedded in the ransomware binary confirms it was compiled from a Medusa builder toolkit, not developed in-house. North Korea's cyber operations have officially entered the affiliate economy.

The two samples were submitted to MalwareBazaar within two weeks of each other by the same researcher (smica83, Hungary), strongly indicating they were recovered from the same compromised network. Together they reveal a complete intrusion chain: initial access and persistence via DLL sideloading, followed by ransomware deployment months later for financial extortion.

The Attack Chain

INITIAL ACCESS           PERSISTENCE              EXECUTION                 IMPACT
     |                       |                        |                       |
  Spearphish/           TSMSISrv.dll            TLS Callbacks           gaze.exe
  Supply Chain ---->  DLL Sideloading ---->    AES Decrypt C2 ---->   Medusa Ransomware
     |              (SessionEnv svc)         Beacon/Download          |
     |                   |                        |               Kill 50+ services
     |              COM Hijack               Payload staging      Delete shadow copies
     |              (DllGetClassObject)           |               Encrypt 10,000+ files
     |                   |                        |               Drop !!!READ_ME_MEDUSA
     |              Registry keys            Download gaze.exe    Tor negotiation

The compilation timestamps tell the story. The loader was built in March 2025; the ransomware was built in October 2025. That is a 7-month dwell time between establishing persistent access and pulling the trigger on encryption -- a tempo consistent with Lazarus's documented patience in high-value intrusions.

Sample 1: gaze.exe -- Medusa Ransomware

Property	Value
SHA-256	`15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10`
MD5	`60aaafce354ae5e0b8115729464a8b24`
Size	638,976 bytes
Architecture	x86 (32-bit)
Compiler	MSVC (VS2019 v16.7+, linker 14.27)
Compiled	2025-10-17 13:48:31 UTC
PDB Path	`G:\Medusa\Release\gaze.pdb`
Entropy	6.6986
Imphash	`82a8292007e682f1a127ba8dcebfae96`
Detection	ClamAV `Win.Ransomware.Medusa-10025438-0`, Kaspersky `Trojan-Ransom.Win64.Agent.sb`

XOR-Encoded Configuration (Key: 0x2E)

The entire operational configuration lives at file offset 0x87600-0x89C00, XOR-encoded with the single-byte key 0x2E. Decoding reveals:

Ransom note text -- the full Medusa extortion message threatening publication on Telegram, Facebook, Twitter, and "top news websites"
Four Tor .onion addresses -- three blog mirrors and one victim-specific negotiation endpoint
Tox Chat ID -- alternative communication channel for the victim
RSA-2048 public key -- embedded in PEM format, used to wrap per-file AES keys
Service kill list -- 50+ Windows services to stop before encryption
Shadow copy commands -- vssadmin Delete Shadows /all /quiet
Network drive flag -- :use networkdrive (encrypts mapped shares)
PowerShell execution -- powershell -executionpolicy bypass -File %s

Encryption Scheme

The ransomware uses a standard hybrid encryption model implemented through the Windows BCrypt API:

BCryptImportKeyPair -- imports the embedded RSA-2048 public key
BCryptGenerateSymmetricKey -- generates a unique AES key per file
BCryptEncrypt -- encrypts file contents with AES
The AES key is then RSA-wrapped and appended to the encrypted file

Without the operator's RSA private key, decryption is mathematically infeasible.

Service and Process Kill Lists

Before encrypting a single file, the ransomware systematically dismantles the victim's defenses and backup infrastructure:

# Security products killed
Sophos MCS Client       Sophos File Scanner      Sophos AutoUpdate
Sophos Safestore        Sophos Health             Sophos Web Control
McAfeeFramework         McAfeeEngineService       EPSecurityService
SepMasterService        Symantec System           TrueKeyService

# Backup services killed
VeeamCatalogSvc         VeeamHvIntegration        VeeamTransportSvc
VeeamEnterprise         Veeam Backup Catalog      BackupExecVSSPro
BackupExecJobEngine     BackupExecManage          BackupExecDevice
BackupExecRPCService    BackupExecAgent           Acronis VSS Provider

# Database services killed
SQLAgent$ECWDB2         MSSQLFDLauncher           MSSQL$VEEAMSQL20
MSSQL$SHAREPOINT        MSSQL$SQLEXPRESS          MSSQL$PRACTTICEBG
MSSQLServerADHelper     MSSQLServerOLAPS          OracleClientCache

Sandbox analysis (Triage, CAPE, ANY.RUN) confirmed:

10,129+ files renamed with the Medusa extension
Active Setup persistence via Boot/Logon Autostart registry keys
Browser credential store access (Chrome, Firefox)
Windows Credential Manager access
Network share enumeration and encryption
ping localhost used as a timing/anti-sandbox technique

Decoded Tor Infrastructure

Address	Purpose
`hxxp://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd[.]onion/`	Medusa leak blog
`hxxp://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id[.]onion/`	Leak blog mirror
`hxxp://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad[.]onion/`	Leak blog mirror
`hxxp://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd[.]onion/00b4f860f1798b62b3531f1b4e8bb6e0`	Victim negotiation chat

The victim-specific endpoint embeds the unique identifier 00b4f860f1798b62b3531f1b4e8bb6e0, confirming this build was compiled for a specific target. The Tox Chat ID (AEA72DFCF492037A6D15755A74645C7D8E674E342BACA9F9070A3FB74117EC3143FD6E29BEAC) provides an alternative negotiation channel.

Sample 2: TSMSISrv.dll -- Lazarus IME-Based Loader

Property	Value
SHA-256	`aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7`
MD5	`447557d5236f1b97be0314b317ca9fff`
Size	828,416 bytes
Architecture	x64 (64-bit)
Compiler	MSVC (VS2022 v17.3+, linker 14.33)
Compiled	2025-03-20 18:42:02 UTC
PDB Path	None (stripped)
Entropy	5.8867
Imphash	`655221b6bcad7b5b0b9766142cbc257a`
Detection	Kaspersky `Trojan.Win64.Lazarus.ey`, ReversingLabs `Win64.Trojan.Lazarus`

The Sideloading Vector

The DLL replaces TSMSISrv.dll (Terminal Services MSI Server), a legitimate Windows system component loaded by svchost.exe via the SessionEnv service (Terminal Services Session Configuration). Since SessionEnv starts automatically at boot and loads the DLL as SYSTEM, replacing it provides persistent, privileged code execution that survives reboots without touching the registry run keys that EDR products monitor.

IME SDK Camouflage

The binary is built on top of the Windows 8 IME SDK sample ("SampleIME -- Simplified Chinese QuanPin Input Method"). The version info is a direct copy:

CompanyName:      MSFT
FileDescription:  The Sample code of Windows 8 IME
FileVersion:      1.0.0.1
InternalName:     SampleIM.dll
OriginalFilename: SampleIM.dll
ProductName:      SampleIME

RTTI class names confirm the IME codebase: CSampleIME, CBaseDictionaryEngine, CCompositionProcessorEngine, CKeyStateComposing, CTipCandidateList. The operator embedded their malicious payload inside a fully functional input method editor, which serves dual purposes: it provides a large volume of benign code to dilute static analysis signatures, and the IME's COM registration mechanism provides a natural vehicle for persistence.

Export Table: Real Code vs. Stub Decoys

Export	Ordinal	Analysis
`DllCanUnloadNow`	1	Real -- checks COM reference count
`DllGetClassObject`	2	Payload entry -- COM class factory
`DllRegisterServer`	3	Payload trigger -- calls 3 internal functions
`DllUnregisterServer`	4	Cleanup chain
`OnSessionChange`	5	Stub -- returns immediately (`ret`)
`Refresh`	6	Stub -- returns immediately
`StartComponent`	7	Stub -- returns immediately
`StopComponent`	8	Initialization code

The stub exports exist solely to satisfy the export table expected by the legitimate DLL loading mechanism. The real malicious functionality lives in the COM lifecycle exports -- DllGetClassObject (executed when any COM client requests the hijacked CLSID) and DllRegisterServer (executed during installation to establish persistence).

Dual TLS Anti-Analysis Callbacks

Two TLS callbacks execute before DllMain, a technique that defeats debuggers whose entry-point breakpoints fire too late:

Callback 0 (RVA 0x20a70): Checks flags in the TEB/PEB, likely detecting debugger attachment or sandbox indicators
Callback 1 (RVA 0x208e0): Complex initialization that accesses PEB structures and performs conditional operations based on process state

TLS callbacks are a documented Lazarus evasion technique observed across multiple tool families including SIGNBT and LightlessCan.

Custom AES Implementation

AES forward S-box lookup tables are located at file offset 0x72000-0x74000 (8,192 bytes), comprising a complete custom AES implementation that bypasses Windows CryptoAPI and BCrypt entirely. This is consistent with Lazarus Group's well-documented preference for rolling their own cryptography in C2 communication rather than relying on OS APIs that can be hooked for inspection.

The tables include forward S-box, inverse S-box, round constants, and pre-computed MixColumns lookup tables -- everything needed for standalone AES encrypt/decrypt operations against embedded C2 configuration and runtime communications.

COM Hijacking Persistence

The DLL registers itself as a COM in-process server using CLSID\%s\InProcServer32 registry paths with ThreadingModel set to Apartment. Once registered via DllRegisterServer, any COM client requesting the hijacked CLSID will load the malicious DLL -- providing persistence that blends with normal Windows COM operations.

Two Build Environments, One Campaign

The two samples were compiled with different toolchains on different architectures:

Attribute	gaze.exe (Ransomware)	TSMSISrv.dll (Loader)
Architecture	x86 (32-bit)	x64 (64-bit)
Compiler	VS2019 v16.7+	VS2022 v17.3+
Compiled	2025-10-17	2025-03-20
PDB	Retained (`G:\Medusa\Release\gaze.pdb`)	Stripped
Entropy	6.70 (higher)	5.89 (lower)
Crypto	BCrypt API (Windows native)	Custom AES (S-box tables)

The differences suggest either separate developer teams within the Lazarus organization or, more likely, the ransomware was produced by the Medusa builder toolkit (explaining the VS2019/x86 profile and retained PDB path) while the loader was developed in-house by Lazarus operators (VS2022/x64, stripped PDB, custom crypto). This is exactly the pattern you would expect from a RaaS affiliate model: the operator brings their own access tools, the ransomware comes from the service provider.

Attribution Assessment

Confidence: HIGH -- Lazarus Group (DPRK), likely Andariel (APT45) or BlueNoroff sub-group.

The attribution chain:

Kaspersky signature: Trojan.Win64.Lazarus.ey -- Kaspersky's Lazarus-specific detection family
ReversingLabs signature: Win64.Trojan.Lazarus -- independent corroboration
DLL sideloading via Windows service: consistent with SIGNBT, LightlessCan, and COPPERHEDGE
Custom AES implementation: a Lazarus hallmark across multiple tool families
IME SDK code base: using legitimate SDK samples as trojan shells is a documented Lazarus technique
TLS callback anti-analysis: standard Lazarus evasion across their toolkit
Months-long dwell time: March-to-October gap matches Lazarus patient intrusion methodology
Reporter history: smica83 has a track record of APT sample submissions, including Korean-language Lazarus .scr files

OPSEC Failures

The operators left several forensic artifacts intact:

PDB path: G:\Medusa\Release\gaze.pdb reveals the project name, build configuration, and drive letter
Compilation timestamps: Both samples have plausible, unmodified timestamps
Rich headers: Build environment fingerprints not stripped from either sample
Version info: TSMSISrv.dll retains the unmodified Windows 8 IME SDK version strings
Same reporter: Both samples submitted by one researcher within two weeks -- confirming recovery from a single victim network

Campaign Timeline

Date	Event
2025-03-20	TSMSISrv.dll compiled (VS2022, x64) -- loader deployed
2025-06-30	TSMSISrv.dll first observed by ReversingLabs
2025-08-13	TSMSISrv.dll first observed by Kaspersky
2025-10-17	gaze.exe compiled (VS2019, x86) -- ransomware built for target
2025-10-19	gaze.exe first observed by Kaspersky and ANY.RUN
2026-02-12	TSMSISrv.dll submitted to MalwareBazaar by smica83
2026-02-26	gaze.exe submitted to MalwareBazaar by smica83

The 14-day gap between submissions suggests the incident responder found the loader first during forensic analysis, then discovered the ransomware component during deeper investigation.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	Shared Modules	T1129	COM DLL loading via DllGetClassObject
Execution	PowerShell	T1059.001	`powershell -executionpolicy bypass -File %s`
Persistence	DLL Side-Loading	T1574.002	TSMSISrv.dll replacing Terminal Services component
Persistence	COM Hijacking	T1546.015	CLSID registration via DllRegisterServer
Persistence	Active Setup	T1547.014	Boot/Logon Autostart registry keys
Defense Evasion	Masquerading	T1036.005	TSMSISrv.dll masquerades as Windows system DLL
Defense Evasion	Obfuscated Files	T1027.002	XOR encoding (key 0x2E) of config block
Defense Evasion	Debugger Evasion	T1622	Dual TLS callbacks before DllMain
Defense Evasion	Impair Defenses	T1562.001	Kills 50+ security services
Credential Access	Credentials from Password Stores	T1555	Browser and Windows Credential Manager theft
Discovery	System Information Discovery	T1082	GetNativeSystemInfo, GetSystemFirmwareTable
Discovery	Network Share Discovery	T1135	GetLogicalDriveStringsW, mapped drive enumeration
Impact	Data Encrypted for Impact	T1486	RSA+AES hybrid file encryption
Impact	Inhibit System Recovery	T1490	vssadmin Delete Shadows /all /quiet
Impact	Service Stop	T1489	net stop, taskkill against backup/security services

Indicators of Compromise

File Indicators -- gaze.exe (Medusa Ransomware)

Hash Type	Value
SHA-256	`15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10`
MD5	`60aaafce354ae5e0b8115729464a8b24`
SHA-1	`53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf`
Imphash	`82a8292007e682f1a127ba8dcebfae96`
Rich Hash	`c8040dd3ff2f4afd042efd4ebe1a43c6`
SSDEEP	`12288:hy+6mXiDDQaBC9WSLe8aHDlglIdLnEAox6Kt7p733WE+jDWFt+Y+ELc2OTWvsIUE:41h5n0SleSPF1i9gs/GS6eRMUsWWPs8l`

File Indicators -- TSMSISrv.dll (Lazarus Loader)

Hash Type	Value
SHA-256	`aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7`
MD5	`447557d5236f1b97be0314b317ca9fff`
SHA-1	`28978e987bc59e75ca22562924eab93355cf679e`
Imphash	`655221b6bcad7b5b0b9766142cbc257a`
Rich Hash	`3be2401da21dfed104c9aa52bb620344`
SSDEEP	`12288:oWujjXB8pkTnyDjVBRxQ1UdiG/Mclbvc/Z:oWujFl2JFQ1Udi2MKc/Z`

Behavioral Indicators

PDB Path:           G:\Medusa\Release\gaze.pdb
Ransom Note:        !!!READ_ME_MEDUSA
XOR Key:            0x2E
DLL Target:         TSMSISrv.dll
Service Target:     SessionEnv (Terminal Services Session Configuration)
Original Filename:  SampleIM.dll
Version String:     The Sample code of Windows 8 IME
COM Registration:   CLSID\%s\InProcServer32
Victim ID:          00b4f860f1798b62b3531f1b4e8bb6e0
Tox ID:             AEA72DFCF492037A6D15755A74645C7D8E674E342BACA9F9070A3FB74117EC3143FD6E29BEAC

Network Indicators (Defanged)

hxxp://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd[.]onion/
hxxp://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id[.]onion/
hxxp://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad[.]onion/
hxxp://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd[.]onion/00b4f860f1798b62b3531f1b4e8bb6e0
hxxps://utox[.]org/uTox_win64.exe

Commands

vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=%s /on=%s /maxsize=401MB
taskkill /F /IM [process]
net stop "%s" /y
powershell -executionpolicy bypass -File %s
powershell -Command "& {%s}"

Detection Opportunities

YARA Rules

rule Lazarus_Medusa_Gaze_Ransomware {
    meta:
        description = "Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path and XOR config"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"
        reference = "https://intel.breakglass.tech"
    strings:
        $pdb = "G:\\Medusa\\Release\\gaze.pdb" ascii
        $ransom_note = "!!!READ_ME_MEDUSA" ascii wide
        $xor_key = { 2E }
        $shadow1 = "vssadmin Delete Shadows" ascii wide nocase
        $shadow2 = "vssadmin resize shadowstorage" ascii wide nocase
        $bcrypt1 = "BCryptImportKeyPair" ascii
        $bcrypt2 = "BCryptGenerateSymmetricKey" ascii
        $bcrypt3 = "BCryptEncrypt" ascii
        $svc1 = "Sophos" ascii wide
        $svc2 = "Veeam" ascii wide
        $svc3 = "McAfee" ascii wide
        $svc4 = "BackupExec" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        ($pdb or $ransom_note) and
        1 of ($shadow*) and
        2 of ($bcrypt*) and
        2 of ($svc*)
}

rule Lazarus_TSMSISrv_IME_Loader {
    meta:
        description = "Detects Lazarus IME SDK-based DLL sideloading loader (TSMSISrv.dll)"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $ime1 = "SampleIME" ascii wide
        $ime2 = "The Sample code of Windows 8 IME" ascii wide
        $ime3 = "SampleIM.dll" ascii wide
        $exp1 = "OnSessionChange" ascii
        $exp2 = "StartComponent" ascii
        $exp3 = "StopComponent" ascii
        $exp4 = "DllRegisterServer" ascii
        $rtti1 = "CSampleIME" ascii
        $rtti2 = "CCompositionProcessorEngine" ascii
        $msft = "MSFT" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        uint16(0x18) != 0x0040 and  // Not a .NET assembly
        2 of ($ime*) and
        3 of ($exp*) and
        1 of ($rtti*) and
        filesize > 500KB and filesize < 2MB
}

rule Lazarus_Medusa_Campaign_Config {
    meta:
        description = "Detects XOR-encoded Medusa configuration block with Tor onion addresses"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $onion1_xor = { 56 42 5A 4E 66 4A 44 5B }  // "xfv4jzck" XOR 0x2E
        $tox_marker = "AEA72DFCF492037A6D15755A74645C7D" ascii
        $victim_id = "00b4f860f1798b62b3531f1b4e8bb6e0" ascii
    condition:
        uint16(0) == 0x5A4D and
        any of them
}

Network Detection -- Suricata

# Medusa Tor negotiation endpoint (victim-specific hash in URI)
alert http any any -> any any (msg:"LAZARUS-MEDUSA Tor Negotiation Endpoint Pattern"; \
  content:".onion/"; http_uri; content:"00b4f860f1798b62b3531f1b4e8bb6e0"; http_uri; \
  sid:2026030901; rev:1;)

# Medusa ransom note drop detection (file creation)
alert smb any any -> any any (msg:"LAZARUS-MEDUSA Ransom Note Creation"; \
  content:"!!!READ_ME_MEDUSA"; sid:2026030902; rev:1;)

# Shadow copy deletion (common but high-signal in combination)
alert any any any -> any any (msg:"LAZARUS-MEDUSA Shadow Copy Deletion"; \
  content:"vssadmin"; content:"Delete Shadows"; content:"/all"; content:"/quiet"; \
  sid:2026030903; rev:1;)

Hunting Queries

SessionEnv DLL Sideloading (KQL -- Microsoft Defender / Sentinel):

DeviceFileEvents
| where FileName =~ "TSMSISrv.dll"
| where FolderPath !startswith "C:\\Windows\\System32"
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessFileName

COM Registration Anomalies (KQL):

DeviceRegistryEvents
| where RegistryKey has "InProcServer32"
| where RegistryValueData !startswith "C:\\Windows\\"
| where RegistryValueData !startswith "C:\\Program Files"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData

Imphash Hunting (Splunk):

index=endpoint sourcetype=sysmon EventCode=7
(Imphash="82a8292007e682f1a127ba8dcebfae96" OR Imphash="655221b6bcad7b5b0b9766142cbc257a")
| table _time, host, Image, ImageLoaded, Imphash

Medusa Service Kill Pattern (Sigma-style):

title: Medusa Ransomware Bulk Service Termination
detection:
    selection:
        EventID: 7036
        param1|contains:
            - 'Sophos'
            - 'Veeam'
            - 'BackupExec'
            - 'McAfee'
    timeframe: 5m
    condition: selection | count() > 5

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 2 MalwareBazaar samples analyzed. Dual-tool Lazarus intrusion chain mapped. Medusa RaaS affiliate model confirmed. Classification: TLP:CLEAR