A new ransomware operation known as “Fog” is not just causing a stir in cybersecurity circles for its relative novelty, but also raising concerns for its novel extortion methods which combine legitimate business software with open-source offensive security tools.
This growing menace, highlighted in a recent May, 2025 attack on an Asia-based financial institution, represents an alarming shift where threat actors leverage legitimate tools and applications to bypass conventional defensive measures and create greater havoc.
Rather than custom malware—as one would expect from most ransomware campaigns—Fog spreads via legitimate employee-monitoring tools such as Syteca (formerly Ekran) as well as legitimate Windows utilities such as PsExec, and open-source pen-testing tools like GC2 (a Google Sheets-based backdoor), Stowaway proxy, Sliver and Ligolo.
This unusual pairing allows the attackers to disable security systems, traverse spanning networks, carry data away, and even watch victims, all without tripping common alarms.
The stealthy nature of Fog is what has cybersecurity experts particularly concerned. Rather than taking advantage of exotic zero-day flaws, the malicious entities abuse what are well-established easily avoidable flaws such as lax configuration, careless handling of credentials and unwatched third-party kit (specifically the SolarWinds Orion tools).
Technical writer, SecureFlag, Nicolette Carklin wrote: “Using legitimate software like Syteca and open-source applications that perform penetration testing is an example of how attackers are evading traditional security products. They say it’s a sign that security can’t just depend on traditional defenses.”
Akhil Mittal, a senior security consulting manager at Black Duck, emphasized what the main threat in this scenario is: “The ransom note is not the real danger here, it’s how Fog turns a simple screen-recorder into a hidden camera.” This blurring of the lines between legitimate software and an ulterior motive represents the evolution of the ransomware playbook, which now, in addition to a ransom, also quietly siphons data on the down-low.
Fog Ransomware Initially discovered in May of 2024, Fog ransomware has focused heavily on the U.S. education industry but has now started to broaden and now affects business services, technology, manufacturing, and government worldwide. Initial access is gained through stolen VPN credentials or vulnerability in externally facing applications.
Once in, Fog is interested in quick encryption, and will frequently disable Windows Defender and erase volume shadow copies to prevent recovery. The rise of this adaptive threat proves the necessity for companies to adopt secure coding practices, proactive software governance, and continuous monitoring to withstand more sophisticated and sophisticated attack chains.
