Businesses were advised June 12 that a May 2025 attack on a financial institution by the Fog ransomware was an unusual combination of tools: A mix of the legitimate employee monitoring software Syteca with the open-source pentesting tools GC2, Adaptix, and Stowaway.What’s different here, said researchers in a blog June 12 by Symantec and Carbon Black, is that tools have not been observed in and of themselves in any previous ransomware attacks, let alone deployed in a combined attack.The researchers said what’s also notable here was that a few days after the ransomware was deployed, the attackers created a service to establish persistence.“This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim’s network,” wrote the researchers.T. Frank Downs, senior director of proactive services at BlueVoyant, explained that while the researchers have not yet identified the exact initial exploitation vector in this attack, the fact that Exchange servers were reportedly compromised is significant. Downs said Exchange servers are frequently targeted by attackers because of their high-value nature and known vulnerabilities, making them a likely candidate for the initial point of exploitation.However, Downs added that the attackers’ reported use of compromised VPN credentials, pass-the-hash attacks, and exploitation of n-day vulnerabilities in systems suggests multiple potential entry points.“Regardless of initial exploit point, if the attackers gained sufficiently permissive rights, such as administrative privileges, they would have been able to install the remaining toolset and initiate lateral movement and persistence within the network,” said Downs. “This type of attack — where an attacker establishes a long-term presence, uses unconventional tools like employee monitoring software, and infects more systems than strictly necessary for a typical ransomware operation — is unusual for traditional cyber criminals.”Shane Barney, chief information security officer at Keeper Security, added that today’s attackers don’t loudly break in: they quietly blend in. Barney said the Fog ransomware group is a prime example, orchestrating well-planned intrusions that blur the line between cybercrime and espionage.Barney said instead of relying solely on malware, they’re combining legitimate employee monitoring software with open-source penetration tools to build attack chains that are both covert and highly effective. Living-off-the-land (LOTL) is a fileless malware technique where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack. “So, tools like Syteca, typically used to track insider activity, are being repurposed to silently harvest credentials and monitor employee behavior in real time,” said Barney. “That’s a chilling evolution. This level of creativity isn’t an outlier — it reflects a growing trend. Ransomware groups are becoming highly adaptable, resourceful adversaries who operate outside of traditional playbooks. The damage extends beyond encrypted files: it’s about the loss of control, visibility and trust in your systems long before the ransom demand is made.”
