Fog Ransomware Unusual Toolset Used in Recent Attack

A May 2025 attack on a financial institution in Asia saw the Fog ransomware deployed, alongside an unusual toolset, including some dual-use and open-source pentesting tools we have not observed being used in ransomware attacks previously.

The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual and not something we have seen used in a ransomware attack chain before. They also deployed several open-source pentesting tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware attacks.

Also notable in this attack was that, a few days after the ransomware was deployed, the attackers created a service to establish persistence. This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim’s network.

To read the complete article, see: Fog Ransomware Attack.