{
	"id": "3cd3b366-3b98-4255-ac0d-b42a86bc729a",
	"created_at": "2026-04-06T00:10:13.422593Z",
	"updated_at": "2026-04-10T13:12:57.285128Z",
	"deleted_at": null,
	"sha1_hash": "152d467da1375efc847d7474cbf2324647ccee01",
	"title": "Fog Ransomware: Unusual Toolset Used in Recent Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73642,
	"plain_text": "Fog Ransomware: Unusual Toolset Used in Recent Attack\r\nBy About the Author\r\nArchived: 2026-04-05 14:44:56 UTC\r\nA May 2025 attack on a financial institution in Asia saw the Fog ransomware deployed, alongside an unusual\r\ntoolset, including some dual-use and open-source pentesting tools we have not observed being used in\r\nransomware attacks previously.\r\nThe attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly\r\nunusual and not something we have seen used in a ransomware attack chain before. They also deployed several\r\nopen-source pentesting tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware\r\nattacks. \r\nAlso notable in this attack was that, a few days after the ransomware was deployed, the attackers created a service\r\nto establish persistence. This is an unusual step to see in a ransomware attack, with malicious activity usually\r\nceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in\r\nthis incident appeared to wish to retain access to the victim’s network.\r\nThe attackers were on the target’s network for about two weeks before they deployed the ransomware. \r\nThe Fog ransomware was first documented in May 2024, and initially appeared to be primarily focused on\r\ntargeting educational institutions in the U.S. In those early attacks, attackers using Fog gained initial access to\r\nnetworks by leveraging compromised VPN credentials.\r\nIt was reported in October 2024 that attackers using Fog were targeting a critical vulnerability (CVE-2024-40711 -\r\nCVSS 9.8) in the Veeam Backup \u0026 Replication (VBR) servers that was patched in September 2024. Meanwhile,\r\nin April 2025, Fog attackers were reported to be using email as an initial infection vector in ransomware attacks in\r\nwhich the language used in the ransom notes appeared to be mocking Elon Musk’s Department of Government\r\nEfficiency (DOGE) in an effort to goad victims. Also notable in that attack campaign was that the ransom notes\r\nalso offered a “decrypt for free” option if the victim chose to spread the ransomware to somebody else's\r\ncomputer. \r\nToolset\r\nThe initial infection vector used by the attackers in this recent incident isn't known. Two of the infected machines\r\nwere Exchange Servers. While there was no evidence to suggest they were the initial infection vector, exploiting\r\nvulnerabilities in Exchange Servers is a common initial infection vector for ransomware actors.\r\nThe first suspicious activity on the network was the installation of multiple open-source, post-exploitation\r\npenetration testing tools, including variants of the GC2 tool, which is an open-source tool that allows an attacker\r\nto execute commands on target machines using Google Sheets or Microsoft SharePoint List and exfiltrate files\r\nusing Google Drive or Microsoft SharePoint documents. The GC2 implant polls the Google Sheet or SharePoint\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 1 of 6\n\nList for each operator command, then uses it to store its output, a log, and records the execution polling interval it\r\nis configured with.\r\nIt is used by the attackers for various discovery commands.\r\nwhoami\r\nnet use\r\ncmd /c \"ipconfig /all\"\r\ncmd /c \"netstat -anot|findstr 3389\"\r\nWhen communicating with the remote attacker, the GC2 tool also checks for the following commands:\r\n\"exit\"\r\n\"load\" (added functionality): loads arbitrary file and executes it as shellcode\r\n\"upload\"\r\n\"download\"\r\nIt contains two embedded configuration blobs in encoded form.\r\nThis tool is not something we have seen used in ransomware attacks before, though it was used in an attack\r\ncarried out by Chinese nation-state backed actor APT41 in 2023.\r\nThe open-source Stowaway proxy tool was used to deliver the Syteca (formerly Ekran) executable. It is not clear\r\nexactly what the Syteca tool was used for by the attackers. In the attack, the file is named 'sytecaclient.exe', but it\r\nalso appears with the name 'update.exe.' Syteca is legitimate employee monitoring software that can record\r\nonscreen activity and monitor keystrokes, among other capabilities.\r\nSeveral libraries are loaded by this executable, suggesting it was possibly used for information stealing or spying,\r\nwhich would be the most likely reason the attackers would deploy it given the keylogging and screen capture\r\ncapabilities of the tool.\r\nCSIDL_SYSTEM\\regsvr32.exe\" /s /u [REDACTED] Files\\Ekran System\\Ekran\r\nSystem\\Client\\SoundCapture_7.20.576.0.dll\"\"\r\nCSIDL_SYSTEM\\regsvr32.exe\" /s /u [REDACTED] Files\\Ekran System\\Ekran\r\nSystem\\Client\\x86\\SoundCapture_7.20.576.0.dll\"\"\r\nCSIDL_SYSTEM\\regsvr32.exe\" /s /u [REDACTED] Files\\Ekran System\\Ekran\r\nSystem\\Client\\CredentialProviderWrapper.dll\"\"\r\nCSIDL_SYSTEM\\regsvr32.exe\" /s /u [REDACTED] Files\\Ekran System\\Ekran\r\nSystem\\Client\\CredentialProviderWrapper_7.20.576.0.dll\"\"\r\nSeveral commands that look like they are removing or killing the Syteca executable are also executed. This\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 2 of 6\n\nappears to be an attempt by the attackers to delete indicators and evidence of their activity on the network in an\r\neffort to avoid detection.\r\nCSIDL_SYSTEM\\taskkill.exe /f /im \"EkranClient.exe\"\r\nCSIDL_SYSTEM\\taskkill.exe /f /im \"EkranClientSession.exe\"\r\nCSIDL_SYSTEM\\taskkill.exe /f /im \"EkranController.exe\"\r\nCSIDL_SYSTEM\\taskkill.exe /f /im \"grpcwebproxy.exe\"\r\nCSIDL_SYSTEM\\taskkill.exe /f /im \"PamConnectionManager.exe\"\r\nCSIDL_SYSTEM_DRIVE\\program files\\ekran system\\ekran system\\tmp\\usbdriverinstaller.exe\" -u [REDACTED]\r\nCSIDL_SYSTEM_DRIVE\\program files\\ekran system\\ekran system\\tmp\\usbolddriveruninstaller.exe\r\nPsExec was also used to remove the Syteca client configuration file and binary in another attempt by the attackers\r\nto delete evidence of the presence of Syteca on the network: \r\npsexec64.exe -accepteula \\\\192.168.8.52 -u \u003c?,?\u003e -p \u003c?,?\u003e -h -s cmd /c \"del\r\nC:\\users\\public\\SytecaClient.ini\"\r\npsexec64.exe -accepteula \\\\192.168.8.150 -u \u003c?,?\u003e -p \u003c?,?\u003e -h -s cmd /c \"rm\r\nC:\\users\\public\\SytecaClient.exe\"\r\nPsExec and SMBExec were also used alongside Syteca and GC2 for lateral movement across the victim network.\r\nSMBExec was used to launch Syteca:\r\ncmd.exe /Q /c SytecaClient.exe 1\u003e \\\\127.0.0.1\\ADMIN$\\__1748095766.8385904 2\u003e\u00261\r\nPsExec was used to laterally execute a suspected process watchdog/launcher for the GC2 backdoor:\r\npsexec64.exe -accepteual \\\\192.168.8.52 -u \u003c?,?\u003e -p \u003c?,?\u003e -h -s cmd /c\r\n\"CSIDL_COMMON_APPDATA\\microsoft\\devicesync\\windowsdevicesync.exe\"\r\nSMBExec and PsExec are both living off the land tools that are commonly used by ransomware attackers:\r\nPsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used by\r\nattackers to move laterally on victim networks.\r\nSMBExec: Open-source lateral movement tool. \r\n \r\nFor data theft, the attackers download multiple file transfer utilities - Freefilesync and MegaSync - as well as\r\nusing 7-zip to archive sensitive directories.\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 3 of 6\n\n7-zip: Legitimate open-source file archiver with a high compression ratio.\r\nFreeFileSync: An open-source folder comparison and synchronization tool.\r\nMegaSync: A synchronization tool for the Mega file hosting platform.\r\n \r\nOther tools used on the target’s network include the Adaptix C2 Agent Beacon, which is a component of an open-source extensible post-exploitation and adversarial emulation framework, Adaptix C2, designed for use by\r\npenetration testers. The variant used on the target’s network in this incident contained a configuration blob in\r\nencrypted form. Adaptix can be considered a sort of open-source alternative to the well-known Cobalt Strike\r\nframework. The Adaptix beacon agent is similar to Cobalt Strike beacon; once implanted on a victim machine, it\r\ncalls back to the attacker and provides command and control (C\u0026C) access. \r\nThe attackers also used Process Watchdog, a program that continuously enumerates running processes to check for\r\na specific process, in this case the GC2 process, which has the filename AppxModels.exe and, if not found on a\r\nmachine, Process Watchdog creates the process.\r\nC:\\ProgramData\\Microsoft\\Windows\\Models\\AppxModels.exe\r\nOn the day the Fog ransomware was deployed, the Impacket SMB tool was also used, suggesting this may have\r\nbeen used to deploy the ransomware.\r\nNotably, several days after the ransomware was deployed, a service was run to establish persistence on the victim\r\nnetwork. This is likely another process watchdog used to launch one of the attacker’s command and control tools,\r\nsuch as GC2. \r\nsc create SecurityHealthIron binPath= \"CSIDL_SYSTEM\\diagsvcs\\runtimebroker.exe\" start= auto\r\nDisplayName= \"Collect performance information about an application by using command-line tools.\"\r\nsc start SecurityHealthIron\r\nAn unusual ransomware attack\r\nThere are a few things that mark this ransomware attack out as unusual. The toolset deployed by the attackers is\r\nquite atypical for a ransomware attack. The Syteca client and GC2 tool are not tools we have seen deployed in\r\nransomware attacks before, while the Stowaway proxy tool and Adaptix C2 Agent Beacon are also unusual tools\r\nto see being used in a ransomware attack.\r\nThe attackers establishing persistence on a victim network having deployed the ransomware is also not something\r\nwe would typically see in a ransomware attack.\r\nThese factors mean it could be possible that this company may in fact have been targeted for espionage purposes,\r\nwith the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some\r\nmoney while also carrying out their espionage activity.\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 4 of 6\n\nWhat we can say with certainty is that this was an unusual toolset to see in a ransomware attack and is worth\r\nnoting for businesses and corporations wanting to guard against attacks by malicious actors. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nFile indicators\r\n181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa – Fog ransomware\r\n90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85 – Process Watchdog\r\nf6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aab – Process Watchdog\r\nfcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd1 – Process Watchdog\r\n4d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e – Likely Process Watchdog\r\n8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1 – Likely Process Watchdog\r\ne1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4 – Likely Process Watchdog\r\nf1c22cbd2d13c58ff9bafae2af33c33d5b05049de83f94b775cdd523e393ec40 – Likely Process Watchdog\r\n279f32c2bb367cc50e053fbd4b443f315823735a3d78ec4ee245860043f72406 – Likely Process Watchdog\r\nb448321baae50220782e345ea629d4874cbd13356f54f2bbee857a90b5ce81f6 – Likely Process Watchdog\r\nf37c62c5b92eecf177e3b7f98ac959e8a67de5f8721da275b6541437410ffae1 – GC2-sheet\r\n3d1d4259fc6e02599a912493dfb7e39bd56917d1073fdba3d66a96ff516a0982 – GC2-sheet\r\n982d840de531e72a098713fb9bd6aa8a4bf3ccaff365c0f647e8a50100db806d – Likely GC2-sheet\r\nfd9f6d828dea66ccc870f56ef66381230139e6d4d68e2e5bcd2a60cc835c0cc6 – Syteca executable\r\nbb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be0 – Stowaway \r\nba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd – Adaptix C2 Beacon Agent\r\n44bb7d9856ba97271d8f37896071b72dfbed2d9fb6c70ac1e70247cddbd54490 – Likely Adaptix C2 Beacon Agent\r\n13d70c27dfa36ba3ae1b10af6def9bf34de81f6e521601123a5fa5b20477f277 – Stowaway\r\nNetwork IOCs\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 5 of 6\n\n66.112.216[.]232\r\namanda[.]protoflint[.]com\r\nSource: https://www.security.com/threat-intelligence/fog-ransomware-attack\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.security.com/threat-intelligence/fog-ransomware-attack"
	],
	"report_names": [
		"fog-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/152d467da1375efc847d7474cbf2324647ccee01.pdf",
		"text": "https://archive.orkl.eu/152d467da1375efc847d7474cbf2324647ccee01.txt",
		"img": "https://archive.orkl.eu/152d467da1375efc847d7474cbf2324647ccee01.jpg"
	}
}