Unusual toolset used in recent Fog Ransomware attack

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec researchers warn.

In May 2025, attackers hit an Asian financial firm with Fog ransomware, using rare tools like Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers pointed out that the use of these tools is unusual for ransomware campaigns. Notably, attackers created a service post-attack to maintain access, a rare persistence move. The attackers remained in the network for two weeks before launching the ransomware, signaling a more calculated, long-term strategy.

Fog ransomware has been active since at least May 2024 and focused on U.S. schools. The threat initially spread via compromised VPNs. By late 2024, it exploited a severe Veeam VBR flaw (CVE-2024-40711, CVSS 9.8). In April 2025, attackers shifted to email-based infections, with ransom notes mocking Elon Musk’s DOGE agency and offering free decryption if victims infected others, highlighting its evolving and provocative tactics.

The researchers were not able to determine the initial infection vector in a recent Fog ransomware attack, however, experts thought Exchange Servers were involved. Attackers deployed rare tools, including GC2, which uses Google Sheets or SharePoint for C2, and the Syteca monitoring tool, possibly for espionage. They used Stowaway for delivery, PsExec/SMBExec for lateral movement, and removed evidence post-use. Attackers used tools like Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog to steal data, maintain persistence, and control.

This ransomware attack was highly unusual due to the atypical toolset used, the researchers speculte that tools like Syteca, GC2, Stowaway, and Adaptix C2 are rarely seen in such cases. The attackers also established persistence post-ransomware deployment, which is uncommon. These signs suggest the attack may have had espionage motives, with ransomware possibly used as a decoy or secondary goal.

“These factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some money while also carrying out their espionage activity.” concludes the report that includes indicators of compromise. “What we can say with certainty is that this was an unusual toolset to see in a ransomware attack and is worth noting for businesses and corporations wanting to guard against attacks by malicious actors. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fog ransomware)