The Fog ransomware group has evolved beyond conventional attack methods, deploying an unprecedented arsenal of legitimate pentesting tools in a sophisticated May 2025 campaign targeting a financial institution in Asia.
This latest operation marks a significant departure from typical ransomware tactics, incorporating employee monitoring software and open-source penetration testing frameworks previously unseen in the ransomware landscape.
The attack demonstrates how threat actors are increasingly blurring the lines between espionage and financial cybercrime.
.png
)
The attackers maintained persistent access to the victim’s network for approximately two weeks before deploying their ransomware payload, utilizing a diverse toolkit that included the legitimate Syteca employee monitoring software, GC2 command-and-control framework, Adaptix C2 Agent Beacon, and Stowaway proxy tools.
Initial compromise vectors targeted Exchange Servers, though investigators could not definitively establish the precise entry point.
The attackers leveraged these tools for reconnaissance, lateral movement, and data exfiltration, employing discovery commands such as whoami, net use, and network enumeration techniques to map the target environment.
Symantec analysts identified the attack as particularly unusual due to the deployment of tools not commonly associated with ransomware operations.
The GC2 tool, which utilizes Google Sheets or Microsoft SharePoint for command execution and file exfiltration, had previously been observed in APT41 operations but represents a novel addition to ransomware arsenals.
The attackers configured GC2 to poll remote commands while maintaining stealth through legitimate cloud services, effectively bypassing traditional network monitoring solutions.
Most notably, the attackers demonstrated exceptional persistence by establishing service-based backdoors several days after ransomware deployment, creating a service named “SecurityHealthIron” with the description “Collect performance information about an application by using command-line tools”.
This post-ransomware persistence mechanism suggests potential dual-purpose operations, where traditional ransomware activities may serve as cover for ongoing espionage activities.
Advanced Persistence and Dual-Purpose Operations
The establishment of persistence mechanisms following ransomware deployment represents a paradigm shift in threat actor behavior.
The creation of the SecurityHealthIron service using sc create commands indicates sophisticated planning beyond immediate financial gain.
This technique, combined with process watchdog programs monitoring GC2 operations, suggests that Fog operators view ransomware as one component of broader intelligence gathering campaigns rather than terminal attack objectives.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
