Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Unusual toolset used in recent Fog Ransomware attack

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec researchers warn. In May 2025, attackers hit an Asian financial firm with Fog ransomware, using rare tools like Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers pointed out that the use of these tools is unusual […]

Reynolds ransomware uses BYOVD to disable security before encryption ransomware

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec researchers warn.

In May 2025, attackers hit an Asian financial firm with Fog ransomware, using rare tools like Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers pointed out that the use of these tools is unusual for ransomware campaigns. Notably, attackers created a service post-attack to maintain access, a rare persistence move. The attackers remained in the network for two weeks before launching the ransomware, signaling a more calculated, long-term strategy.

Fog ransomware has been active since at least May 2024 and focused on U.S. schools. The threat initially spread via compromised VPNs. By late 2024, it exploited a severe Veeam VBR flaw (CVE-2024-40711, CVSS 9.8). In April 2025, attackers shifted to email-based infections, with ransom notes mocking Elon Musk’s DOGE agency and offering free decryption if victims infected others, highlighting its evolving and provocative tactics.

The researchers were not able to determine the initial infection vector in a recent Fog ransomware attack, however, experts thought Exchange Servers were involved. Attackers deployed rare tools, including GC2, which uses Google Sheets or SharePoint for C2, and the Syteca monitoring tool, possibly for espionage. They used Stowaway for delivery, PsExec/SMBExec for lateral movement, and removed evidence post-use. Attackers used tools like Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog to steal data, maintain persistence, and control.

This ransomware attack was highly unusual due to the atypical toolset used, the researchers speculte that tools like Syteca, GC2, Stowaway, and Adaptix C2 are rarely seen in such cases. The attackers also established persistence post-ransomware deployment, which is uncommon. These signs suggest the attack may have had espionage motives, with ransomware possibly used as a decoy or secondary goal.

“These factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some money while also carrying out their espionage activity.” concludes the report that includes indicators of compromise. “What we can say with certainty is that this was an unusual toolset to see in a ransomware attack and is worth noting for businesses and corporations wanting to guard against attacks by malicious actors. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fog ransomware)