Fog ransomware hackers, known for targeting US educational institutions, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption.
While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a behavior they found “highly unusual” in a ransomware attack chain.
Reflecting on the shift in Fog’s tactics, Bugcrowd’s CISO, Trey Ford, said, “We should expect the use of ordinary and legitimate corporate software as the norm—we refer to this as “living off the land”. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when ‘allowable’ software gets the job done for them?“
