Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
Ddos 
In May 2025, a financial institution in Asia was targeted in a highly anomalous ransomware attack that may blur the lines between conventional cybercrime and espionage. According to a new report from the Symantec Threat Hunter Team, the attackers deployed the Fog ransomware strain, but what truly set this campaign apart was the unprecedented arsenal of tools, including dual-use software, open-source post-exploitation frameworks, and a focus on persistence, rarely seen in typical ransomware operations.
βThe attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual and not something we have seen used in a ransomware attack chain before,β Symantec notes.
The Fog ransomware was first documented in May 2024, where it primarily hit educational institutions in the U.S., exploiting VPN credentials for initial access. Over time, its techniques evolved. By October 2024, Fog was exploiting CVE-2024-40711 (CVSS 9.8) in Veeam Backup & Replication servers, and by April 2025, it shifted to email-based infection vectorsβoften mocking Elon Muskβs βDepartment of Government Efficiency (DOGE)β in ransom notes and even offering free decryption in exchange for infecting others.
This latest campaign against the Asian financial entity, however, raised eyebrows.
The attackers didnβt rely on typical ransomware methods. Instead, they used:
- Syteca (formerly Ekran) β a legitimate employee monitoring tool deployed via the Stowaway proxy. Its keylogging and screen capture functions suggest it was used for espionage.
- GC2 (Google Command and Control) β a stealthy open-source backdoor using Google Sheets or Microsoft SharePoint to execute commands and exfiltrate data. Previously only linked to APT41, a Chinese nation-state actor. βThis tool is not something we have seen used in ransomware attacks before,β Symantec states.
- Adaptix C2 Agent Beacon β a lesser-known Cobalt Strike alternative, enabling stealthy command-and-control via encrypted beaconing.
- Process Watchdog β ensured persistence by continuously restarting key implants like AppxModels.exe, linked to the GC2 backdoor.
- Living-off-the-land tools (LOLBins) like PsExec and SMBExec were used for lateral movement, and FreeFileSync, 7-Zip, and MegaSync aided in data theft.
Perhaps the most unorthodox element was that persistence mechanisms were established after the ransomware was deployed.
βA few days after the ransomware was deployed, the attackers created a service to establish persistence,β Symantec observed. βThis is an unusual step to see in a ransomware attackβ¦ the attackers in this incident appeared to wish to retain access to the victimβs network.β
This step included creating and launching a Windows service named SecurityHealthIron using sc create, pointing to a suspicious binary.
Symantec raises an important question: Was this truly a financially motivated ransomware attack, or was it espionage under the guise of cybercrime?
βThese factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy,β Symantec speculates.
The level of stealth, the diverse toolset, and the attackersβ desire to retain long-term access suggest motivations that extend beyond a quick payday.
Related Posts:
- Fog Ransomware Group Shifts Focus: Financial Sector Now in Crosshairs
- FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
- Fog Ransomware Group Exposed: Inside the Tools, Tactics, and Victims of a Stealthy Threat
- Fog & Akira Ransomware Exploit Critical Veeam RCE Flaw CVE-2024-40711 After PoC Release
- Over 1,200 Entities Hit by TA571’s Forked IcedID Offensive
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
