Threat Hunter@Broadcom Software Blogs
//
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.
Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.
This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.
References :
- @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
- BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
- SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
- Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
- www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
- Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
- www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
- securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
- www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
- securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
- www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
- ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
- Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
- therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
- aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networksÂ
FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
- securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack
Classification:
- HashTags: #Ransomware #Fog #LivingOffTheLand
- Company: Symantec
- Target: Financial Institution
- Attacker: Fog
- Product: Syteca
- Feature: Employee monitoring
- Malware: Syteca
- Type: Ransomware
- Severity: Major
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.
GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.
References :
- bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been
targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
- cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
- The Hacker News: Shuckworm targets Western military mission
- Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
- gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
- securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
- BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
- securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
- Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
- www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
- www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
- securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
- The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
- www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
- PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
- www.scworld.com: Infected removable drives were used to spread the malware.
- Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
- ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
- Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
- Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
- Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
Classification:
|
|
FlagThis - #symantec
