{ "id": "caeb0592-6bf3-45a0-bb92-7f660674cc3f", "created_at": "2026-04-06T01:31:54.365728Z", "updated_at": "2026-04-10T03:36:14.002097Z", "deleted_at": null, "sha1_hash": "55a2aee7663cbeedf5ea0cfe984a39e08657d645", "title": "FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 690135, "plain_text": "FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE\r\nBy Nathaniel Morales, Sarah Pearl Camiling ( words)\r\nPublished: 2025-04-21 · Archived: 2026-04-06 01:03:44 UTC\r\nIn our investigation of nine samples uploaded on VirusTotal, we found that FOG ransomware is being distributed by\r\ncybercriminals trolling users by abusing the name of the Department of Government Efficiency (DOGE), or\r\nindividuals connected to the government initiative.\r\nThe investigated LNK file contained in a ZIP file named “Pay Adjustment.zip” is being distributed via email and\r\nphishing attacks and shows the continued activity of FOG ransomware.\r\nTrend Vision One™ detects and blocks the FOG ransomware samples discussed in this blog. Trend Vision One\r\ncustomers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the\r\nlatest updates on FOG ransomware.\r\nDuring our monitoring of the ransomware threat landscape, we discovered samples with infection chain characteristics and\r\npayloads that can be attributed to FOG ransomware. A total of nine samples were uploaded to VirusTotal between 27 March\r\nand 2 April, which we recently discovered were multiple ransomware binaries with .flocked extension and readme.txt notes.\r\nWe observed that these samples initially dropped a note containing key names related to the Department of Government\r\nEfficiency (DOGE), an initiative of the current US administration that has been making headlines, recently about a member\r\nwho allegedly assisted a cybercrime group involved in data theft and cyberstalking an agent of the Federal Bureau of\r\nInvestigation (FBI). The note also contains instructions to spread the ransomware payload to other computers by pasting the\r\nprovided code in the note.                                                                                \r\nThe ransomware payload embedded in the samples has been verified as FOG ransomware, an active ransomware family\r\ntargeting both individuals and organisations. Our review of their leak site reveals that FOG ransomware has had 100 victims\r\nsince January this year; with the most victim counts in February at 53. The group declared 18 and 29 victims in January and\r\nMarch respectively. They also declared in their leak site that their victims come from the technology, education,\r\nmanufacturing and transportation sectors. Other victim sectors include enterprises from business services, healthcare, retail,\r\nand consumer services. Since June 2024, our threat intelligence has detected 173 counts of ransomware activity attributed to\r\nFOG ransomware among Trend customers. These detections have since been blocked. \r\nThe campaigns in this blog are carried out either by the original FOG ransomware operators and potentially using DOGE-related references to troll users, or by other actors embedding FOG ransomware into their binaries for impersonation.  \r\nFigure 1. The nine ransomware samples with .flocked extension and readme.txt notes uploaded on VirusTotal\r\nbetween 27 March to 2 April.\r\nInitial access\r\nWe observed that an LNK file contained in a ZIP file named “Pay Adjustment.zip” is being distributed via email and\r\nphishing attacks.\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 1 of 8\n\nFigure 2. The LNK file disguised as a PDF file.\r\nOnce clicked, the file will execute the following command by downloading a PowerShell script named “stage1.ps1”.\r\nFigure 3. The command executed when the malicious file is opened.\r\nSimilarly, the deobfuscated script in ransom note also executes the same PowerShell command by downloading and running\r\nthe “stage1.ps1”. \r\nFigure 4. The deobfuscated code that executes the same PowerShell command as Figure 3.\r\nThe downloaded PowerShell script “stage1.ps1” performs a multi-stage operation, retrieving a ransomware loader\r\n(cwiper.exe), ktool.exe and other PowerShell scripts. It also opens politically themed YouTube videos and includes written\r\npolitical commentary directly in the script.\r\nFigure 5. The PowerShell script stage1.ps1 contains political commentary in its script\r\nPayload contents\r\nIn the following section, we discuss other files we found in the payload samples investigated:\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 2 of 8\n\nThis script collects system information and exfiltrates it to a remote server.\r\nIt also fetches IPv4 gateway IP, finds a MAC address and uses Wigle API to get the infected system’s geolocation.\r\nIt also harvests hardware and system-level information from the host, such as the IP address, CPU configuration, and\r\nadditional system identifiers. \r\nLootsubmit.ps1 also sends all collected data to hxxps://hilarious-trifle-d9182e.netlify[.]app \r\nThis script contains base64 encoded code and is XOR’ed to 85 \r\nThis script is similar to lootsubmit.ps1, but with an updated Get-GatewayMACs function that includes ARP lookup\r\nfor MAC address resolution. \r\nOpens a QR code that directs to a Monero wallet address:\r\n8BejUQh2TAA5rUz3375hHM7JT8ND2i4u5hkVXc9Bcdw1PTrCrrDzayWBj6roJsE1EWBPGU4PMKohHWZUMopE8WkY7iA6U\r\nKtool.exe facilitates privilege escalation by exploiting the vulnerable Intel Network Adapter Diagnostic Driver,\r\niQVW64.sys. This driver is embedded within the binary and will be extracted to the %TEMP% folder. To utilise this\r\nfeature, the target process ID (PID) and a hardcoded key \"fd6c57fa3852aec8\" is provided as parameters.\r\nFigure 6. Ktool.exe facilitates privilege escalation by exploiting iQVW64.sys.\r\nDropper analysis \r\nWe have observed that prior to dropping its payload, the malware investigated checks various indicators, such as processor\r\ncount, RAM, MAC address, registry, and tick count, to detect a sandbox. If any check fails, it exits the process; otherwise, it\r\nlogs that no sandbox is detected. \r\nFigure 7. FOG ransomware checks for a sandbox; when it doesn’t it logs it as such.\r\nWe also observed that the encrypted binary is embedded within the data section of the loader, which will then be decrypted\r\nusing a specified key using the function shown in Figure 9.\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 3 of 8\n\nFigure 8. The encrypted binary is embedded in the data section of the loader.\r\nFigure 9. The specified key that decrypts the encrypted binary.\r\nThe loader also drops dbgLog.sys, a log file that records encryption-related events, just like previous versions of FOG\r\nransomware. Additionally, it drops a readme.txt file, which contains the ransom note identical to ones observed to have been\r\npreviously used by FOG ransomware. \r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 4 of 8\n\nFigure 10. The log file dbgLog.sys records encryption-related events\r\nFigure 11. The ransom note that is identical to the ransom notes observed to have previously been used by\r\nFOG ransomware\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 5 of 8\n\nFigure 12. The initial ransom note dropped that uses DOGE-related references to troll\r\nThe ransomware payload embedded in the discovered samples has been verified as FOG ransomware and is detected as\r\nRansom.Win32.FOG.SMYPEFG. All discovered variants carry the same payload and only differ on the key used to decrypt\r\nthe payload.\r\nConclusion and security recommendations\r\nFOG ransomware is a relatively new ransomware family that enterprises must add to their watchlist. Regardless of the\r\norigins and motivations behind the FOG ransomware samples we investigated, whether executed by the original operators\r\nusing DOGE references for trolling purposes or by other actors embedding FOG ransomware into their binaries for\r\nimpersonation, the impact of a successful ransomware attack could still potentially cost enterprises financial loss and\r\noperational disruption. \r\nOutpace ransomware threats by monitoring indicators of compromise (IoCs) as part of a proactive cybersecurity defence.\r\nThis approach allows for early detection of threats, enhances security measures, supports forensic investigations, effectively\r\ndisrupting the activities of cybercriminals. For researchers, tracking IoCs offers valuable insights into attack patterns, which\r\ncan help them develop more effective threat prevention strategies. SOCs should maximise tools that enable and help\r\nautomate these tasks. \r\nEnterprises can also implement the following security best practices:\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 6 of 8\n\nMaintain up-to-date, secure backups of all critical data. Regularly test restoration processes to ensure data can be\r\nrecovered quickly in the event of an attack.\r\n Implement network segmentation to limit the spread of ransomware across your organisation. By isolating sensitive\r\ndata and critical systems, you can prevent widespread damage.\r\nRegularly update and patch application software, operating systems, and other applications to ensure that you close\r\nvulnerabilities that attackers could exploit.\r\nConduct regular training sessions for employees to recognise phishing attempts and suspicious links.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneproducts™ is the only AI-powered enterprise cybersecurity platform that centralises cyber risk exposure\r\nmanagement, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent\r\nthreats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity\r\nleadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in\r\nransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase\r\ncontinuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on\r\nwhat matters most, and elevate security into a strategic partner for innovation. \r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat\r\nInsights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for\r\nemerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By\r\nleveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively\r\nrespond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nFog Ransomware Concealed Within 'Trolling DOGE' Binary Loader \r\nTrend Vision One Threat Insights App\r\nEmerging Threats: Fog Ransomware Concealed Within Trolling DOGE Binary Loader\r\nHunting Queries \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment.   \r\neventSubId: 101 AND objectFilePath: RANSOMNOTE.txt \r\nEncrypted File Activity Detected (*.flocked)  \r\neventSubId: 109 AND objectFilePath: /\\.flocked$/  \r\nRansomware Note Dropped in System Folders (readme.txt)  \r\neventSubId: 101 AND objectFilePath: /Users\\\\(Defaullt|Public)\\\\.*readme.txt/ \r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlementone-platform enabled. \r\nIndicators of Compromise (IoC)  \r\nDownload the list of IoCs here.  \r\nTags\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 7 of 8\n\nSource: https://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nhttps://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html" ], "report_names": [ "fog-ransomware-concealed-within-binary-loaders-linking-themselve.html" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439114, "ts_updated_at": 1775792174, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55a2aee7663cbeedf5ea0cfe984a39e08657d645.pdf", "text": "https://archive.orkl.eu/55a2aee7663cbeedf5ea0cfe984a39e08657d645.txt", "img": "https://archive.orkl.eu/55a2aee7663cbeedf5ea0cfe984a39e08657d645.jpg" } }