MedusaLocker

Also known asmedusalocker

MedusaLocker is a ransomware operation known for double extortion, encrypting victim data and threatening to publish stolen data if victims do not pay. Reporting in the provided content states that it continued targeting manufacturing and critical infrastructure. The operation has been referenced in connection with incidents involving EDR-killer and defense-evasion tooling: ThrottleBlood was observed in MedusaLocker intrusions, and Seqrite reported that attackers in MedusaLocker attacks frequently used process-killing tools such as 0th3r_av5.exe to shut down antivirus monitoring. Additional reporting linked CardSpaceKiller to intrusions involving MedusaLocker, and noted that LockBit used a very similar service kill list to MedusaLocker. The content also references MedusaLocker in the context of custom cryptocurrency mixing services associated with ransomware-as-a-service ecosystems. No additional aliases or sub-groups are directly supported by the provided content beyond the name MedusaLocker.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

47 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics65 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1129

Shared Modules

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1112×2

Modify Registry

T1542

Pre-OS Boot

T1542.003

Bootkit

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1134

Access Token Manipulation

T1134.004

Parent PID Spoofing

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

10 techniques

T1014

Rootkit

T1027×2

Obfuscated Files or Information

T1027.002×3

Software Packing

T1027.005

Indicator Removal from Tools

T1036

Masquerading

T1070

Indicator Removal

T1070.004×2

File Deletion

T1134

Access Token Manipulation

T1134.004

Parent PID Spoofing

T1140

Deobfuscate/Decode Files or Information

T1202

Indirect Command Execution

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1542

Pre-OS Boot

T1542.003

Bootkit

T1564

Hide Artifacts

T1564.003

Hidden Window

TA0112

Defense Impairment

2 techniques

T1112×2

Modify Registry

T1222

File and Directory Permissions Modification

TA0006

Credential Access

2 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

TA0007

Discovery

9 techniques

T1010

Application Window Discovery

T1012

Query Registry

T1016

System Network Configuration Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1614

System Location Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1074

Data Staged

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1090

Proxy

T1105

Ingress Tool Transfer

T1573

Encrypted Channel

TA0040

Impact

3 techniques

T1486×3

Data Encrypted for Impact

T1489

Service Stop

T1490×2

Inhibit System Recovery

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

help net securityNews

Jun 18, 2026

GentleKiller targets more than 400 security processes across 48 products - Help Net Security

Referenced as a threat actor/group in whose intrusions the ThrottleBlood tool appeared.

hackreadNews

Apr 1, 2026

Ransomware Groups Exploit Legit IT Tools to Bypass Antivirus

Ransomware activity associated with process-killing tools used to disable antivirus monitoring before payload execution.

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

Ransomware group observed deploying CardSpaceKiller during incidents.

dragos blogNews

May 21, 2025

Dragos Industrial Ransomware Analysis: Q1 2025

Ransomware actor associated with double extortion; targets manufacturing and critical infrastructure.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping47

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.