A latest Fog ransomware assault stands out attributable to the usage of a sequence of respectable instruments beforehand unseen in ransomware assaults, Symantec studies.
The assault was carried out in Could 2025 in opposition to a monetary establishment in Asia and relied on Syteca (previously Ekran), a respectable worker monitoring software program, and several other open supply pentesting utilities, particularly GC2, Adaptix, and Stowaway.
The attackers compromised the group’s community two weeks earlier than deploying ransomware, and contaminated two Trade servers within the course of. The an infection chain began with the open supply penetration testing instruments.
One of many utilities, GC2, can be utilized to execute instructions utilizing Google Sheets or Microsoft SharePoint Checklist, and to exfiltrate information by way of Google Drive or Microsoft SharePoint paperwork. The device was beforehand utilized by the Chinese language state-sponsored hacking group APT41 in 2023.
The Fog assault additionally concerned the usage of Stowaway, an open supply proxy utility, to deploy Syteca, a respectable worker monitoring utility that helps display recording and keystroke monitoring, amongst others.
“A number of libraries are loaded by this executable, suggesting it was probably used for data stealing or spying, which might be the most definitely purpose the attackers would deploy it given the keylogging and display seize capabilities of the device,” Symantec notes.
The attackers have been additionally seen executing instructions to take away Syteca, and using PsExec and SMBExec, together with Syteca and GC2, for lateral motion. File switch utilities akin to Freefilesync and MegaSync have been used for information exfiltration.
Moreover, the Adaptix C2 Agent Beacon, a part of an open supply post-exploitation and adversarial emulation framework, was deployed. The device, which is like Cobalt Strike, permits command-and-control (C&C) entry.Commercial. Scroll to proceed studying.
The attackers additionally created a service to determine persistence on the contaminated community a number of days earlier than the ransomware was deployed. Impacket was seemingly used to execute Fog.
Based on Symantec, the bizarre set of instruments employed on this assault, together with the try and retain entry to the compromised community, means that the sufferer group might need been focused for espionage, with the ransomware part being both a decoy or an try and earn further cash from the intrusion.
This isn’t the primary ransomware assault to make use of instruments sometimes utilized by China-linked APTs, with earlier occurrences together with a variant of the PlugX backdoor and the Shadowpad modular malware household.
The Fog ransomware emerged in 2024, primarily concentrating on the US schooling sector. As an preliminary entry vector, the group has abused compromised VPN credentials, weak Veeam Backup & Replication (VBR) servers (CVE-2024-40711), and phishing emails.
Associated: FBI Conscious of 900 Organizations Hit by Play Ransomware
Associated: Chinese language Hacking Group APT41 Exploits Google Calendar to Goal Governments
Associated: Delicate Data Stolen in Sensata Ransomware Assault
