FlagThis - #fog

The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.

Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.

This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.


References :

• @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
• BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
• SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
• Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
• www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
• Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
• www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
• securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
• www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
• securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
• www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
• ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
• Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
• therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
• aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networks FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
• securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack

Classification:

• HashTags: #Ransomware #Fog #LivingOffTheLand
• Company: Symantec
• Target: Financial Institution
• Attacker: Fog
• Product: Syteca
• Feature: Employee monitoring
• Malware: Syteca
• Type: Ransomware
• Severity: Major

Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.


References :

• cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
• gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
• www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
• www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
• gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
• securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
• darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025
• bsky.app: DOGE-themed ransomware hit 100+ victims since January
• www.cybersecurity-insiders.com: The Fog Ransomware gang, which has been making headlines over the past week due to its increasingly audacious demands, is now requesting a staggering $1 trillion from its victims.
• The Register - Security: Fog ransomware channels Musk with demands for work recaps or a trillion bucks

Classification:

• HashTags: #FOGRansomware #DOGEImpersonation #PhishingAttack
• Company: Trend Micro
• Target: Multiple Sectors
• Attacker: Cybercriminals
• Feature: Phishing Campaign
• Malware: FOG
• Type: Ransomware
• Severity: Major

Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.


References :

• cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
• Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
• thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
• cyberinsider.com: Cybercriminals are distributing FOG ransomware through phishing emails that spoof ties to the U.S. Department of Government Efficiency (DOGE), embedding politically themed messages and exploiting old vulnerabilities to compromise victims across multiple sectors.
• gbhackers.com: A new variant of the FOG ransomware has been identified, with attackers exploiting the name of the Department of Government Efficiency (DOGE) to mislead victims.
• www.trendmicro.com: This blog details our investigation of malware samples that conceal within them a FOG ransomware payload.

Classification:

• HashTags: #Ransomware #Cybersecurity #DOGE
• Company: Cyble
• Target: Organizations
• Attacker: DOGE
• Product: Ransomware
• Feature: Ransomware Analysis
• Malware: DOGE BIG BALLS Ransomware
• Type: Ransomware
• Severity: Major