Find notable cyber news and cases, enriched with sources, timelines, and signals.

Medusa ransomware post-compromise deployment

Malware Activity
First reported
Last updated
Happening score
H score 48
2 unique sources, 2 articles

Summary

Hide ▲

Medusa ransomware is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware activity combines data exfiltration with internal lateral movement, allowing operators to broaden impact before detection. In some cases, deployment happens within 24 hours of foothold establishment, increasing the chance of multiple hosts being affected. The workflow also uses internal tooling to stage payloads and weaken security controls before ransomware is dropped.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

INC ransomware encryptors rewritten in Rust

Malware Activity
H score38 First: 18.06.2026 17:12 Last: 18.06.2026 17:12 Sources 1

About this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...

Turla Kazuar modular P2P botnet

Malware Activity
H score16 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
H score23 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Vect 2.0 ransomware wiper-flaw activity

Malware Activity
H score31 First: 29.04.2026 18:23 Last: 29.04.2026 18:23 Sources 1

About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...

Timeline

  1. 07.04.2026 09:35 2 articles · 3mo ago

    Storm-1175 rapid Medusa ransomware deployment analysis

    Initial Disclosure

    Storm-1175, a China-based threat actor linked to Medusa ransomware, is described as chaining zero-day and N-day vulnerabilities against internet-facing systems and as affecting healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States. After gaining footholds, the actor can create new user accounts, use web shells or legitimate RMM software for lateral movement, conduct credential theft, interfere with security solutions, exfiltrate data, and deploy Medusa ransomware within a few days or, in some cases, within 24 hours.

    Show sources