Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Medusa ransomware post-compromise deployment

Malware Activity
First reported
Last updated
Happening score
H score 48
2 unique sources, 2 articles

Summary

Hide ▲

Medusa ransomware is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware activity combines data exfiltration with internal lateral movement, allowing operators to broaden impact before detection. In some cases, deployment happens within 24 hours of foothold establishment, increasing the chance of multiple hosts being affected. The workflow also uses internal tooling to stage payloads and weaken security controls before ransomware is dropped.

Related Happenings

Turla Kazuar modular P2P botnet

Malware Activity
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

Vect 2.0 ransomware wiper-flaw activity

Malware Activity
First: 29.04.2026 18:23 Last: 29.04.2026 18:23 Sources 1

About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Timeline

  1. 07.04.2026 09:35 2 articles · 1mo ago

    Storm-1175 rapid Medusa ransomware deployment analysis

    Initial Disclosure

    Storm-1175, a China-based threat actor linked to Medusa ransomware, is described as chaining zero-day and N-day vulnerabilities against internet-facing systems and as affecting healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States. After gaining footholds, the actor can create new user accounts, use web shells or legitimate RMM software for lateral movement, conduct credential theft, interfere with security solutions, exfiltrate data, and deploy Medusa ransomware within a few days or, in some cases, within 24 hours.

    Show sources
    Open in new tab