Fog Ransomware: Unusual Toolset Used in Recent Attack

SUMMARY :

A financial institution in Asia was targeted by Fog ransomware in May 2025, using an atypical toolset including legitimate employee monitoring software and open-source pentesting tools. The attackers deployed Syteca, GC2, Adaptix, and Stowaway, which are uncommon in ransomware attacks. They remained on the network for two weeks before deploying the ransomware and unusually established persistence afterward. The attack involved lateral movement, data theft, and attempts to delete evidence. The use of these tools and the persistence suggest possible espionage motives alongside the ransomware deployment. This incident highlights the importance of guarding against such sophisticated and unusual attack methodologies.

OPENCTI LABELS :

espionage,lateral movement,fog,data theft,persistence,fog ransomware,cve-2024-40711,asia,unusual toolset,employee monitoring software,financial institution,pentesting tools


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Fog Ransomware: Unusual Toolset Used in Recent Attack