Threat Research

Fog Ransomware: Unusual Toolset Used in Recent Attack

Symantec
Fog Ransomware: Unusual Toolset Used in Recent Attack

In May 2025, an unusual ransomware attack using the Fog ransomware targeted a financial institution in Asia, employing rare tools such as Syteca employee monitoring software and open-source pentesting utilities like GC2, Adaptix, and Stowaway. The attackers also established persistence on the network post-ransomware deployment, indicating possible espionage motives beyond typical ransomware objectives. #FogRansomware #Syteca #GC2 #Adaptix #Stowaway

Keypoints

  • The May 2025 attack deployed Fog ransomware along with uncommon tools like Syteca and open-source pentesting tools GC2, Adaptix, and Stowaway.
  • Syteca, legitimate employee monitoring software, was used for potential spying and keylogging—rare in ransomware campaigns.
  • The attackers maintained network persistence post-encryption by creating a service, which is atypical for ransomware incidents.
  • Initial infection vector is unknown, though two Exchange Servers were compromised; lateral movement utilized PsExec and SMBExec.
  • GC2 tool enabled command execution and data exfiltration via Google Sheets and SharePoint, used here for network discovery and control.
  • Adaptix C2 Agent Beacon was leveraged as a C&C framework, functioning similarly to Cobalt Strike but is open-source.
  • The attack included the use of file transfer tools Freefilesync, MegaSync, and archiving via 7-zip for data theft.

MITRE Techniques

  • [T1071] Application Layer Protocol – GC2 implant uses Google Sheets and Microsoft SharePoint List for command and control communication (“…the GC2 implant polls the Google Sheet or SharePoint List for each operator command…”).
  • [T1569.002] Service Execution: Service Manipulation – Attackers created and started a malicious service named SecurityHealthIron to establish persistence (“sc create SecurityHealthIron binPath=… start= auto…”).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Use of command execution via cmd.exe with various payloads like SytecaClient.exe and GC2 backdoor (“cmd.exe /Q /c SytecaClient.exe…”).
  • [T1021.005] Remote Services: SMB/Windows Admin Shares – SMBExec utilized to launch Syteca and to facilitate lateral movement (“SMBExec was used to launch Syteca…”).
  • [T1568] Dynamic Resolution – GC2 tool’s encoded configuration blobs and use of cloud services for C2 (“It contains two embedded configuration blobs in encoded form…”).
  • [T1105] Ingress Tool Transfer – File transfer utilities Freefilesync and MegaSync used for exfiltration (“…attackers download multiple file transfer utilities – Freefilesync and MegaSync…”).
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Syteca executable loaded several DLL libraries to facilitate spying and information stealing (“Several libraries are loaded by this executable…”).

Indicators of Compromise

  • [File Hashes] Examples include 181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa (Fog ransomware), bb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be0 (Stowaway), and ba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd (Adaptix C2 Beacon Agent), among others.
  • [Domains] amanda[.]protoflint[.]com – Associated network infrastructure involved in the attack.
  • [IP Addresses] 66.112.216[.]232, 97.64.81[.]119 – Network IOCs linked to attacker activity.

Read more: https://www.security.com/threat-intelligence/fog-ransomware-attack