Subj : Fog ransomware attacks use employee monitoring tool to break into To : All From : TechnologyDaily Date : Fri Jun 13 2025 15:00:07 Fog ransomware attacks use employee monitoring tool to break into business networks Date: Fri, 13 Jun 2025 13:51:00 +0000 Description: The ransomware group was also seen using open source tools in a bid to stay undetected. FULL STORY ======================================================================Fog ransomware was seen using Syteca, a legitimate employee monitoring tool, to log keys and grab passwords It also used open-source tools for payload dropping and file exfiltration The attack was "atypical", researchers claim Fog ransomware operators have expanded their arsenal to include legitimate and open source tools. This is, most likely, to avoid being detected before deploying the encryptor. Security researchers from Symantec were recently brought in to investigate a Fog ransomware infection, and determined the hackers used Syteca, a legitimate employee monitoring tool, during the attack. This program, previously known as Ekran, records screen activity and keystrokes, and hasnt been seen abused in attacks before now. "Several" accounts compromised By logging keystrokes and tracking passwords , the attackers were able to access additional systems, map out the network, and then successfully deploy the encryptor. To drop Syteca, Fog used Stowaway, an open-source, multi-hop proxy tool designed for security researchers and pentesters to route traffic through multiple intermediary nodes into restricted or internal networks. After dropping the payload, the attackers used SMBExec, another open-source post-exploitation tool, to execute it over the Server Message Block protocol (SMB). Lastly, Fog used GC2, an open source post-exploitation backdoor that leverages Google Sheets and SharePoint for command-and-control (C2) and data exfiltration. Just like Syteca, this one is rarely seen abused in attacks, although BleepingComputer claims the Chinese state-sponsored actor APT41 have been seen using it sometimes. The toolset deployed by the attackers is quite atypical for a ransomware attack, Symantec said in its report. The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adap2x C2 Agent Beacon are also unusual tools to see being used in a ransomware attack, they added. Fog ransomware first emerged in April 2024, and its first attacks were spotted a month later. Since then, the group made a name for itself, claiming notable victims such as the Belgium-based semiconductor company Melexis, European meteorological organization EUMETSAT, FHNW University (a major Swiss educational institution), and Ultra Tune (an Australian automotive service franchise). In early attacks, the group used compromised VPN credentials to access victims networks - after which, they used pass-the-hash attacks to elevate privileges, disable antivirus products, and encrypt all files. Via BleepingComputer You might also like Ransomware hackers demand victims justify their jobs, or pay up Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/fog-ransomware-attacks-use-employee-mon itoring-tool-to-break-into-business-networks --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .