Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns

    Friday, January 9, 2026 In: Threat Research Print

    Date: 01/09/2026

    Severity: High

    Summary

    Medusa has emerged as one of the most active ransomware-as-a-service groups, ranking among the top 10 threats in 2025 and impacting over 500 organizations by January 2026. Recent intelligence shows Medusa increasingly abusing remote management and file transfer software, including exploitation of GoAnywhere MFT License Servlet (CVE-2025-10035) and multiple flaws in SimpleHelp remote support software (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728). This abuse of trusted RMM infrastructure prompted joint advisories from CISA and the FBI, underscoring Medusa’s rapid evolution and operational scale.

    Indicators of Compromise (IOC) List 

    URLs/Domains

    erp.ranasons.com·143.110.243.154

    pruebas.pintacuario.mx·144.217.181.205

    IP Address

    185.108.129.62

    185.126.238.119

    213.183.63.41

    213.183.63.42

    31.220.45.120

    91.92.246.110

    45.9.149.112

    89.36.161.12

    193.37.69.154

    Filename

    lirdel.com·44.235.83.125/a.msi

    wizarr.manate.ch/108.215.180.161:8585/$/1dIL5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "erp.ranasons.com·143.110.243.154" or siteurl like "erp.ranasons.com·143.110.243.154" or url like "erp.ranasons.com·143.110.243.154" or domainname like "pruebas.pintacuario.mx·144.217.181.205" or siteurl like "pruebas.pintacuario.mx·144.217.181.205" or url like "pruebas.pintacuario.mx·144.217.181.205"

    Detection Query 2 :

    dstipaddress IN ("185.108.129.62","213.183.63.41","45.9.149.112","89.36.161.12","91.92.246.110","185.126.238.119","213.183.63.42","31.220.45.120","193.37.69.154") or srcipaddress IN ("185.108.129.62","213.183.63.41","45.9.149.112","89.36.161.12","91.92.246.110","185.126.238.119","213.183.63.42","31.220.45.120","193.37.69.154")

    Detection Query 3 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("lirdel.com·44.235.83.125/a.msi","wizarr.manate.ch/108.215.180.161:8585/$/1dIL5")

    Detection Query 4 :

    technologygroup = "EDR" AND objectname IN ("lirdel.com·44.235.83.125/a.msi","wizarr.manate.ch/108.215.180.161:8585/$/1dIL5")

    Reference:

    https://www.darktrace.com/blog/under-medusas-gaze-how-darktrace-uncovers-rmm-abuse-in-ransomware-campaigns


    Tags

    MalwareVulnerabilityRansomwareMedusaExploitGoAnywhere MFT'sCVE-2025CVE-2024

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.