A recent ransomware attack against a financial institution in Asia is raising eyebrows across the cybersecurity community, not just because of the ransomware, but because of how it was delivered.
According to the Threat Hunter Team at Symantec and Carbon Black, Fog ransomware was first seen in May 2024. It saw the deployment of Fog, a ransomware strain first observed in 2024. But what makes this incident different is the eclectic toolset the attackers used, using legitimate employee monitoring software, rarely seen open-source tools, and persistence mechanisms that are usually associated with espionage campaigns.
Ransomware Plus Surveillance?
Among the most unusual elements was the use of Syteca, an employee monitoring tool formerly known as Ekran. It is normally used to monitor for insider threats, and emplys keystroke logging and screen recording. This is the first time it has been used in a ransomware context.
In this instance, Syteca was delivered via the open-source Stowaway proxy tool, under filenames like sytecaclient.exe and update.exe. While the threat actors’ exact use of the software isn’t clear, forensic evidence suggests it was probably deployed for surveillance or data theft. Keylogging, screen capture, and DLL loading behaviors support that theory.
Malefactors later ran multiple commands to delete or disable Syteca-related processes, presumably to erase evidence and avoid detection.
Their actions point to an unusually high level of operational hygiene for a ransomware crew.
As Akhil Mittal of Black Duck points out: “The real danger here isn’t the ransom note—it’s how Fog turns a simple screen recorder into a hidden camera. Business apps we install on autopilot can suddenly become spy tools. Trust, not tech, becomes the weakest link.”
A Curious Mix of Tools
The actors also installed a combination of lesser-known, dual-use tools:
GC2: An open-source post-exploitation framework that communicates with operators via Google Sheets or Microsoft SharePoint. It’s been linked to APT41, a Chinese state-sponsored group, but never before to ransomware groups.
Adaptix C2 Agent Beacon: A modular, open-source command-and-control agent similar to Cobalt Strike, designed for red team operations.
Stowaway: A multi-hop proxy tool not typically seen in ransomware cases.
SMBExec and PsExec: Used for lateral movement and execution of Syteca and GC2 across machines.
One thing that stands out, is the use of Process Watchdog, a program that constantly checks for the GC2 process (AppxModels.exe) and restarts it if missing. This means the attackers were keen on maintaining control.
Trey Ford, CISO at Bugcrowd, warns that these types of tools are likely to become more common. “We should expect the use of ordinary, legitimate corporate software as the norm. Why introduce noisy malware when ‘allowable’ software does the job?”
Ford also points to a broader concern: if attackers can embed themselves in everyday productivity platforms, they gain time, time to map networks, collect data, and cover their tracks. “The use of expected platforms like Google Sheets for C2 increases time to detect and slows investigations,” he adds.
Also, days after deploying the ransomware, the bad actors created a persistence mechanism. Using a fake service named SecurityHealthIron, they ran:
plaintext
CopyEdit
sc create SecurityHealthIron binPath= “diagsvcs\runtimebroker.exe” start= auto
This kind of post-encryption persistence is unusual. Most ransomware actors exfiltrate data, encrypt systems, and disappear.
Shane Barney, CISO at Keeper Security, describes this tactic as part of a broader shift in adversary behavior. “Today’s attackers don’t loudly break in – they quietly blend in,” he says. “Instead of relying solely on malware, they’re combining legitimate monitoring software with open-source tools to build attack chains that are both covert and highly effective.”
Barney notes that Living Off The Land (LOTL) techniques, where attackers abuse tools that are already present in the environment, are increasingly used to prolong access, quietly escalate privileges, and evade detection.
Could This Be Espionage in Disguise?
In 2024 Fog became notorious for targeting U.S. education institutions via compromised VPNs and Veeam vulnerabilities. By 2025, its operators had begun mocking public institutions like Elon Musk’s fictional “Department of Government Efficiency” (DOGE) in ransom notes, even offering free decryption to victims willing to spread the malware.
The use of surveillance tools, post-ransomware persistence, and stealthy C2 infrastructure raises a serious question: Was ransomware its objective, or was it just a red herring?
The fact that attackers stayed on the network for two weeks before detonating the ransomware adds weight to the espionage theory. They used:
7-Zip to archive directories.
FreeFileSync and MegaSync to steal data.
And then, only at the end, launched Fog ransomware, possibly as a final smokescreen.
For defenders, this attack highlights the blurred lines between cybercrime and cyber espionage. Whether the Fog operators were moonlighting APTs or financially motivated actors experimenting with new tools, one thing is clear: ransomware attacks are evolving, and are not always what they seem.
“This level of creativity isn’t an outlier,” Barney warns. “Ransomware groups are becoming highly adaptable adversaries operating outside of traditional playbooks. The damage isn’t just encrypted files, it’s the loss of visibility, control, and trust.”
Detection is No Longer Enough
With toolsets like this, Indicators of Compromise (IOCs) may arrive too late. Organizations must now focus on Indicators of Attack (IOAs), the behavior and patterns that suggest an attack in progress, even if no malware has been dropped yet.
Barney sums it up: “The goal isn’t just prevention, it’s resilience. That means locking down credentials, limiting privilege, and continuously monitoring for anomalies across your backup infrastructure and remote access points.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
