Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime: hackers are using open-source penetration testing tools and genuine staff monitoring software to breach networks, steal confidential data, and initiate ransomware attacks.
This unprecedented blend of tactics has targeted major financial institutions, raising alarms among cybersecurity professionals.
A May 2025 attack on an Asian financial institution involved the deployment of Fog ransomware, accompanied by a highly unusual toolset.
.png
)
Among the novel features was the use of Syteca (formerly Ekran), a legitimate employee monitoring software. This marks a rare event, as Syteca is not typically associated with ransomware campaigns.
Additionally, the attackers introduced several open-source penetration testing tools like GC2, Adaptix, and Stowaway tools not commonly seen in ransomware operations.
GC2, for example, is an open-source tool that uses Google Sheets or Microsoft SharePoint Lists as a command-and-control (C2) mechanism.
Once installed, it polls these cloud platforms for operator commands, executes them, and uploads output logs or stolen files to Google Drive or SharePoint.
The attackers used GC2 to conduct standard discovery commands such as:
- whoami (displays currently logged-in users)
- net use (shares mapped network resources)
- cmd /c “ipconfig /all” (network configuration details)
- cmd /c “netstat -anot|findstr 3389” (Remote Desktop Protocol activity)
Other functionalities of GC2 included uploading/downloading files, loading and executing arbitrary shellcode, and direct command execution capabilities more commonly seen in advanced persistent threat (APT) operations.
Stowaway was used as a proxy to deliver Syteca, which provides attackers with keylogging and screen capture capabilities.
Syteca’s presence suggests that the attackers may have had espionage as a primary goal, rather than just ransomware-driven disruption or financial gain.
The attackers also attempted to erase evidence of Syteca’s installation using tools like PsExec and SMBExec in a post-attack cleanup.
Persistent Access and Data Exfiltration
According to the Report, What makes this attack particularly alarming is the persistence established by the threat actors.
After deploying ransomware, typically the final step in many attacks, the attackers created a service to maintain continuous access to the network.
This is unusual, as most ransomware groups focus on encrypting data and extorting payments before withdrawing from the victim’s environment.
For data theft, the attackers downloaded file transfer utilities, including FreeFileSync and MegaSync.
They also used the open-source archiver 7-Zip to compress and exfiltrate sensitive directories.
The use of Adaptix C2 Agent Beacon, an open-source alternative to Cobalt Strike, provided attackers with command-and-control capabilities similar to those used by sophisticated APT groups.
PSExec and SMBExec were utilized for lateral movement, allowing attackers to expand their influence across the network.
Additionally, a process watchdog mechanism ensured that critical attacker tools, like the GC2 implant, remained running on compromised machines.
Espionage, Ransomware, or Both?
The convergence of legitimate monitoring software, pentesting tools, and persistent backdoor mechanisms suggests that this attack may have been orchestrated for espionage, with ransomware serving as a decoy or bonus for the attackers.
The attackers spent up to two weeks inside the network before deploying Fog ransomware, indicating a thorough reconnaissance phase.
This incident highlights the importance of organizations monitoring for unusual open-source and commercial software deployments, as well as unexpected network persistence mechanisms.
The use of legitimate tools in attacks makes detection more challenging, requiring advanced behavioral analytics and robust endpoint protection.
Indicators of Compromise
If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.
File indicators:
| 181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa | Fog ransomware |
| 90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85 | Process Watchdog |
| f6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aab | Process Watchdog |
| fcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd1 | Process Watchdog |
| 4d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e | Likely Process Watchdog |
| 8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1 | Likely Process Watchdog |
| e1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4 | Likely Process Watchdog |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
