highSkill·May 14, 2026

AGS-2026-0008

Weaponized Claude Skills deliver MedusaLocker ransomware (Cato CTRL)

What happened

Cato Networks' CTRL team documented a campaign that weaponizes Claude Code skills to deliver MedusaLocker ransomware on the host machine. The skill description appears legitimate ("productivity helper") but the SKILL.md contains an embedded instruction sequence that the agent dutifully executes, dropping the loader.

Impact

Full host compromise + file encryption. Once the loader is on disk, MedusaLocker proceeds with its usual TTPs.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References

https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/