FlagThis - #fog

Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.


References :

• cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
• gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
• www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
• www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
• gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
• securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
• darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025
• bsky.app: DOGE-themed ransomware hit 100+ victims since January
• www.cybersecurity-insiders.com: The Fog Ransomware gang, which has been making headlines over the past week due to its increasingly audacious demands, is now requesting a staggering $1 trillion from its victims.
• The Register - Security: Fog ransomware channels Musk with demands for work recaps or a trillion bucks

Classification:

• HashTags: #FOGRansomware #DOGEImpersonation #PhishingAttack
• Company: Trend Micro
• Target: Multiple Sectors
• Attacker: Cybercriminals
• Feature: Phishing Campaign
• Malware: FOG
• Type: Ransomware
• Severity: Major

Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.


References :

• cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
• Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
• thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
• cyberinsider.com: Cybercriminals are distributing FOG ransomware through phishing emails that spoof ties to the U.S. Department of Government Efficiency (DOGE), embedding politically themed messages and exploiting old vulnerabilities to compromise victims across multiple sectors.
• gbhackers.com: A new variant of the FOG ransomware has been identified, with attackers exploiting the name of the Department of Government Efficiency (DOGE) to mislead victims.
• www.trendmicro.com: This blog details our investigation of malware samples that conceal within them a FOG ransomware payload.

Classification:

• HashTags: #Ransomware #Cybersecurity #DOGE
• Company: Cyble
• Target: Organizations
• Attacker: DOGE
• Product: Ransomware
• Feature: Ransomware Analysis
• Malware: DOGE BIG BALLS Ransomware
• Type: Ransomware
• Severity: Major