Unusual Pentesting and Monitoring Tools Deployed in May 2025 Fog Ransomware Attack

TL;DR

In May 2025, Fog ransomware operators targeted an Asian financial firm using unconventional pentesting and monitoring tools, including Syteca, GC2, Adaptix, and Stowaway. Symantec researchers highlighted the rarity of these tools in ransomware campaigns, suggesting potential espionage motives. The attackers maintained network access for two weeks before deploying ransomware, indicating a strategic, long-term approach.

Unusual Toolset Deployed in May 2025 Fog Ransomware Attack

In May 2025, an Asian financial firm was hit by Fog ransomware, utilizing rare tools such as Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers noted the atypical use of these tools in ransomware campaigns, with attackers establishing a post-attack service to maintain access—a rare persistence tactic. The attackers lingered in the network for two weeks before launching the ransomware, signaling a calculated, long-term strategy.

Evolution of Fog Ransomware

Fog ransomware has been active since at least May 2024, initially targeting U.S. schools via compromised VPNs. By late 2024, it exploited a severe Veeam VBR flaw (CVE-2024-40711, CVSS 9.8). In April 2025, the attackers shifted to email-based infections, with ransom notes mocking Elon Musk’s DOGE agency and offering free decryption if victims infected others, showcasing evolving and provocative tactics.

Unconventional Tools and Tactics

In the recent Fog ransomware attack, the initial infection vector remains unknown, though experts suspect Exchange Servers were involved. The attackers deployed rare tools, including:

• GC2: Utilizes Google Sheets or SharePoint for command and control (C2).
• Syteca: A monitoring tool potentially used for espionage.
• Stowaway: Employed for delivery.
• PsExec/SMBExec: Used for lateral movement.
• Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog: Tools for data theft, persistence, and control.

The use of these tools is highly unusual in ransomware attacks, suggesting potential espionage motives. The attackers also established persistence post-ransomware deployment, which is uncommon, further indicating that the ransomware might have been a decoy or secondary goal.

Expert Analysis

Symantec researchers speculated that the attack might have been primarily for espionage, with ransomware serving as a decoy or an additional revenue stream. The report emphasized the unusual toolset and the importance of businesses being aware of such tactics to guard against sophisticated cyber threats ¹.

Follow for More Updates

For the latest cybersecurity insights, follow:

• Twitter: @securityaffairs
• Facebook: Security Affairs
• Mastodon: Security Affairs

About the Author

• Pierluigi Paganini

For more details, visit the full article: source

Conclusion

The May 2025 Fog ransomware attack on an Asian financial firm highlights the evolving tactics of cybercriminals. The use of unconventional tools and the prolonged network presence suggest a shift towards more strategic and potentially espionage-driven attacks. Businesses must stay vigilant and adapt their cybersecurity measures to counter these advanced threats.

References

1. Symantec Researchers (2025). “Unusual toolset used in recent Fog ransomware attack”. Security Affairs. Retrieved 2025-06-14. ↩︎