Unusual toolset used in recent Fog Ransomware attack

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec researchers warn.

In May 2025, attackers hit an Asian financial firm with Fog ransomware, using rare tools like Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers pointed out that the use of these tools is unusual for ransomware campaigns. Notably, attackers created a service post-attack to maintain access, a rare persistence move. The attackers remained in the network for two weeks before launching the ransomware, signaling a more calculated, long-term strategy.

Fog ransomware has been active since at least May 2024 and focused on U.S. schools. The threat initially spread via compromised VPNs. By late 2024, it exploited a severe Veeam VBR flaw (CVE-2024-40711, CVSS 9.8). In April 2025, attackers shifted to email-based infections, with ransom notes mocking Elon Musk’s DOGE agency and offering free decryption if victims infected others, highlighting its evolving and provocative tactics.

The researchers were not able to determine the initial infection vector in a recent Fog ransomware attack, however, experts thought Exchange Servers were involved. Attackers deployed rare tools, including GC2, which uses Google Sheets or SharePoint for C2, and the Syteca monitoring tool, possibly for espionage. They used Stowaway for delivery, PsExec/SMBExec for lateral movement, and removed evidence post-use. Attackers used tools like Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog to steal data, maintain persistence, and control.

This ransomware attack was highly unusual due to the atypical toolset used, the researchers speculte that tools like Syteca, GC2, Stowaway, and Adaptix C2 are rarely seen in such cases. The attackers also established persistence post-ransomware deployment, which is uncommon. These signs suggest the attack may have had espionage motives, with ransomware possibly used as a decoy or secondary goal.

“These factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some money while also carrying out their espionage activity.” concludes the report that includes indicators of compromise. “What we can say with certainty is that this was an unusual toolset to see in a ransomware attack and is worth noting for businesses and corporations wanting to guard against attacks by malicious actors. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fog ransomware)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 2 years ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 2 years ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 2 years ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 2 years ago

LATEST POSTS
Article thumbnail image
Europol shut down Archetyp Market, a major dark web drug marketplace, in a glob
Anubis RaaS now includes a wiper module, permanently deleting files. Active sin
Insik Group analyzed the new Predator spyware infrastructure and discovered it
Article thumbnail image
Canada’s airline WestJet has suffered a cyberattack that impactd access to so