Fog Ransomware: Unusual Toolset Used In Recent Attack
Symantec, Thursday, June 12th, 2025
Legitimate employee monitoring software and various pentesting tools deployed.
A May 2025 attack on a financial institution in Asia saw the Fog ransomware deployed, alongside an unusual toolset, including some dual-use and open-source pentesting tools we have not observed being used in ransomware attacks previously.
The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual and not something we have seen used in a ransomware attack chain before. They also deployed several open-source pentesting tools - GC2, Adaptix, and Stowaway - which are not commonly used during ransomware attacks.