Medusa ransomware post-compromise deployment
Malware Activity
Summary
Hide ▲
Show ▼
Medusa ransomware is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware activity combines data exfiltration with internal lateral movement, allowing operators to broaden impact before detection. In some cases, deployment happens within 24 hours of foothold establishment, increasing the chance of multiple hosts being affected. The workflow also uses internal tooling to stage payloads and weaken security controls before ransomware is dropped.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityAbout this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
Turla Kazuar modular P2P botnet
Malware Activity
H score16
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
**Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Turla Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
H score31
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Timeline
-
07.04.2026 09:35 2 articles · 3mo ago
Storm-1175 rapid Medusa ransomware deployment analysis
Initial DisclosureStorm-1175, a China-based threat actor linked to Medusa ransomware, is described as chaining zero-day and N-day vulnerabilities against internet-facing systems and as affecting healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States. After gaining footholds, the actor can create new user accounts, use web shells or legitimate RMM software for lateral movement, conduct credential theft, interfere with security solutions, exfiltrate data, and deploy Medusa ransomware within a few days or, in some cases, within 24 hours.
Show sources
- China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware — thehackernews.com — 07.04.2026 09:35
- Storm-1175 Deploys Medusa Ransomware at 'High Velocity' — www.darkreading.com — 07.04.2026 23:15