Fog Ransomware Actors Exploits Pentesting Tools to Exfiltrate Data and Deploy Ransomware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Fog ransomware group has evolved beyond conventional attack methods, deploying an unprecedented arsenal of legitimate pentesting tools in a sophisticated May 2025 campaign targeting a financial institution in Asia.<\/p>\n
This latest operation marks a significant departure from typical ransomware tactics, incorporating employee monitoring software and open-source penetration testing frameworks previously unseen in the ransomware landscape.<\/p>\n
The attack demonstrates how threat actors are increasingly blurring the lines between espionage and financial cybercrime.<\/p>\n
The attackers maintained persistent access to the victim\u2019s network for approximately two weeks before deploying their ransomware payload, utilizing a diverse toolkit that included the legitimate Syteca employee monitoring software, GC2 command-and-control framework, Adaptix C2 Agent Beacon, and Stowaway proxy tools<\/a>.<\/p>\n Initial compromise vectors targeted Exchange Servers, though investigators could not definitively establish the precise entry point.<\/p>\n The attackers leveraged these tools for reconnaissance, lateral movement, and data exfiltration, employing discovery commands such as Symantec analysts identified<\/a> the attack as particularly unusual due to the deployment of tools not commonly associated with ransomware operations.<\/p>\n The GC2 tool, which utilizes Google Sheets or Microsoft SharePoint for command execution and file exfiltration, had previously been observed in APT41 operations but represents a novel addition to ransomware arsenals.<\/p>\n The attackers configured GC2 to poll remote commands while maintaining stealth through legitimate cloud services, effectively bypassing traditional network monitoring<\/a> solutions.<\/p>\n Most notably, the attackers demonstrated exceptional persistence by establishing service-based backdoors several days after ransomware<\/a> deployment, creating a service named \u201cSecurityHealthIron\u201d with the description \u201cCollect performance information about an application by using command-line tools\u201d.<\/p>\n This post-ransomware persistence mechanism suggests potential dual-purpose operations, where traditional ransomware activities may serve as cover for ongoing espionage activities.<\/p>\n The establishment of persistence mechanisms following ransomware deployment represents a paradigm shift in threat actor behavior.<\/p>\n The creation of the SecurityHealthIron service using This technique, combined with process watchdog programs monitoring GC2 operations, suggests that Fog operators view ransomware as one component of broader intelligence<\/a> gathering campaigns rather than terminal attack objectives.<\/p>\n Automate threat response with ANY.RUN\u2019s TI Feeds\u2014Enrich alerts and block malicious IPs across all endpoints<\/strong>\u00a0->\u00a0Request full access<\/strong><\/a><\/strong><\/p>\n The post Fog Ransomware Actors Exploits Pentesting Tools to Exfiltrate Data and Deploy Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nwhoami<\/code>, net use<\/code>, and network enumeration techniques to map the target environment.<\/p>\nAdvanced Persistence and Dual-Purpose Operations<\/strong><\/h2>\n
sc create<\/code> commands indicates sophisticated planning beyond immediate financial gain.<\/p>\n