A recent Fog ransomware attack stands out due to the use of a series of legitimate tools previously unseen in ransomware attacks, Symantec reports.
The attack was carried out in May 2025 against a financial institution in Asia and relied on Syteca (formerly Ekran), a legitimate employee monitoring software, and several open source pentesting utilities, namely GC2, Adaptix, and Stowaway.
The attackers compromised the organization’s network two weeks before deploying ransomware, and infected two Exchange servers in the process. The infection chain started with the open source penetration testing tools.
One of the utilities, GC2, can be used to execute commands using Google Sheets or Microsoft SharePoint List, and to exfiltrate data via Google Drive or Microsoft SharePoint documents. The tool was previously used by the Chinese state-sponsored hacking group APT41 in 2023.
The Fog attack also involved the use of Stowaway, an open source proxy utility, to deploy Syteca, a legitimate employee monitoring application that supports screen recording and keystroke monitoring, among others.
“Several libraries are loaded by this executable, suggesting it was possibly used for information stealing or spying, which would be the most likely reason the attackers would deploy it given the keylogging and screen capture capabilities of the tool,” Symantec notes.
The attackers were also seen executing commands to remove Syteca, and employing PsExec and SMBExec, along with Syteca and GC2, for lateral movement. File transfer utilities such as Freefilesync and MegaSync were used for data exfiltration.
Additionally, the Adaptix C2 Agent Beacon, a component of an open source post-exploitation and adversarial emulation framework, was deployed. The tool, which is like Cobalt Strike, enables command-and-control (C&C) access.
The attackers also created a service to establish persistence on the infected network several days before the ransomware was deployed. Impacket was likely used to execute Fog.
According to Symantec, the unusual set of tools employed in this attack, along with the attempt to retain access to the compromised network, suggests that the victim organization might have been targeted for espionage, with the ransomware component being either a decoy or an attempt to earn additional money from the intrusion.
This is not the first ransomware attack to employ tools typically used by China-linked APTs, with previous occurrences including a variant of the PlugX backdoor and the Shadowpad modular malware family.
The Fog ransomware emerged in 2024, mainly targeting the US education sector. As an initial access vector, the group has abused compromised VPN credentials, vulnerable Veeam Backup & Replication (VBR) servers (CVE-2024-40711), and phishing emails.
Related: FBI Aware of 900 Organizations Hit by Play Ransomware
Related: Chinese Hacking Group APT41 Exploits Google Calendar to Target Governments
Related: Sensitive Information Stolen in Sensata Ransomware Attack
