A financial institution in Asia was targeted by Fog ransomware in May 2025, using an atypical toolset including legitimate employee monitoring software and open-source pentesting tools. The attackers deployed Syteca, GC2, Adaptix, and Stowaway, which are uncommon in ransomware attacks. They remained on the network for two weeks before deploying the ransomware and unusually established persistence afterward. The attack involved lateral movement, data theft, and attempts to delete evidence. The use of these tools and the persistence suggest possible espionage motives alongside the ransomware deployment. This incident highlights the importance of guarding against such sophisticated and unusual attack methodologies. Author: AlienVault
Related Tags:
financial institution
employee monitoring software
unusual toolset
asia
fog
FoggyWeb – S0661
cve-2024-40711
Fog Ransomware
T1569.002
Associated Indicators:
982D840DE531E72A098713FB9BD6AA8A4BF3CCAFF365C0F647E8A50100DB806D
FCF1DA46D66CC6A0A34D68FE79A33BC3E8439AFFDEE942ED82F6623586B01DD1
B448321BAAE50220782E345EA629D4874CBD13356F54F2BBEE857A90B5CE81F6
F6CFD936A706BA56C3DCAE562FF5F75A630FF5E25FCB6149FE77345AFD262AAB
90A027F44F7275313B726028EAAED46F6918210D3B96B84E7B1B40D5F51D7E85
44BB7D9856BA97271D8F37896071B72DFBED2D9FB6C70AC1E70247CDDBD54490
4D80C6FCD685961E60BA82FA10D34607D09DACF23D81105DF558434F82D67A5E
F37C62C5B92EECF177E3B7F98AC959E8A67DE5F8721DA275B6541437410FFAE1
181CF6F9B656A946E7D4CA7C7D8A5002D3D407B4E89973ECAD60CEE028AE5AFA