Fog Ransomware Attack Using Unusual Tools

Details about a Fog ransomware attack utilizing unusual tools.

Fog Ransomware Attack Employs Unusual Tools

Multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41. The post Fog Ransomware Attack Employs Unusual Tools appeared first on SecurityWeek.

Fog ransomware gang abuses employee monitoring tool in unusual multi-stage attack

Fog ransomware hackers, known for targeting US educational institutions, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption. While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a behavior they found “highly unusual” in a ransomware attack chain. Reflecting on the shift in Fog’s tactics, Bugcrowd’s CISO, Trey Ford, said, “We should expect the use of ordinary and legitimate corporate software as the norm—we refer to this as “living off the land”. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when ‘allowable’ software gets the job done for them?“ While Symantec couldn’t identify the initial infection vector used in the attack, Fog ransomware actors have used critical vulnerabilities in the past, like the CVSS 9.8-rated Veeam Backup and Replication flaw, allowing remote code execution, to gain unauthorized access. Additionally, hackers’ unusual effort to maintain persistence long after encryption suggested a deeper, possibly ulterior, motive. Syteca was likely used as a stealer Researchers found attackers using Stowaway, the open-source proxy tool designed for secure communication between internal and external networks, to deliver the Syteca executable. It is not known how the attackers used the Syteca tool during the intrusion, which was distributed as files under names like “sytecaclient.exe” and “udpate.exe.” Still, the adversarial potential of an employee monitoring tool with screen recording and keystroke logging capabilities isn’t too hard to guess. Several libraries are loaded by this executable, suggesting it was possibly used for information stealing or spying, researchers added. “The real danger in this case isn’t the ransom note — it’s how Fog turns a simple screen-recorder into a hidden camera,” said Akhil Mittal, senior manager at Black Duck. “Software is an essential driver of growth and innovation for every company; however, business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot.” Security teams should keep a live map of where every monitoring app is allowed to run and flag it the moment one pops up somewhere odd, Mittal added. Open-source pen testers for executing commands Another peculiarity observed in the attack was the use of open-source penetration testing tools, like GC2 and Adaptix C2, rarely seen with ransomware attacks. Google Command and Control (GC2) is an open-source post-exploitation tool that allows attackers to control compromised systems using legitimate cloud services like Google Sheets and Google Drive as their command-and-control (C2) infrastructure. The GC2 implant alone, potentially, allowed attackers to run discovery commands, transfer files, and load shellcode, hinting at deeper intelligence-gathering objectives. “The use of expected productivity platforms (e.g., Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit,” Ford added. GC2 has been used previously in attacks attributed to the APT41 Chinese threat group. Adaptix C2, a post-exploitation pen-tester similar to the Cobalt Strike beacon, was also seen in the Fog attack. Persistence after encryption raises red flags Unlike typical ransomware actors that exit post-encryption, the Fog group was seen establishing persistence even days after deploying the ransomware—a move more common in espionage operations. Using a service dubbed “SecurityHealthIron,” likely tied to launching command-and-control utilities, the attackers ensured ongoing access.“The attackers establishing persistence on a victim network having deployed the ransomware is also not something we would typically see in a ransomware attack,” researchers said. “These factors mean it could be possible that this company may in fact have been targeted for espionage purposes.” Coupled with lateral movement via PsExec and SMBExec, use of file transfer tools like MegaSync and 7-Zip for exfiltration, and stealthy cleanup of Syteca artifacts, the operation looked more like a planned, multi-stage intrusion than a quick ransomware grab.

Disclaimer: Blockes News is an AI-powered aggregator that summarizes content from original news outlets. All rights and ownership of the articles and media belong to their respective sources. We do not create or alter the news — we simply highlight and link to the original stories for your convenience and awareness. Always refer to the original source for full details. We only display content provided in the summary section of RSS feeds. If you are a content owner and wish to have your material removed, please contact us.

Please let us know if you find this helpful