A new report from Symantec and the Carbon Black Threat Hunter team reveals a concerning evolution in the Fog ransomware operation, which now leverages a rare mix of legitimate software, open-source tools, and stealthy delivery mechanisms to compromise organizations.
Fog was first identified in May 2023, when it was seen exploiting stolen VPN credentials to gain access to enterprise networks. The group quickly moved laterally using pass-the-hash techniques, disabled Windows Defender, and encrypted systems, including virtual machines. More recently, Fog has been linked to attacks exploiting vulnerabilities in Veeam Backup & Replication (VBR) servers and SonicWall SSL VPN endpoints.
Researchers have observed Fog deploying an unusual toolset in a recent attack on a financial institution in Asia. Among the tools used is Syteca (formerly known as Ekran), a legitimate employee monitoring software typically used for insider threat detection and compliance. In the hands of threat actors, however, it becomes a covert surveillance tool, capturing screen activity and keystrokes, including credentials typed by unsuspecting users.
Living off the land: legitimate tools, malicious intent
The delivery of Syteca was facilitated by Stowaway, an open-source proxy utility, and executed using SMBExec, part of the Impacket framework often used for lateral movement. The attack also incorporated GC2, a rare post-exploitation backdoor that leverages Google Sheets or Microsoft SharePoint as a command-and-control (C2) mechanism, effectively hiding malicious traffic among legitimate cloud communications.
"The real danger in this case isn't the ransom note—it's how Fog turns a simple screen recorder into a hidden camera," said Akhil Mittal, Senior Manager at Black Duck. "Security teams should keep a live map of where every monitoring app is allowed to run and flag it the moment one pops up somewhere odd."
This technique, known as living off the land, allows ransomware operators to evade endpoint detection and response (EDR) systems by using tools already trusted in enterprise environments.
"The threat actors known as Fog have continued to evolve, leveraging legitimate commercial software to carry out criminal activities," added James Maude, Field CTO at BeyondTrust. "This significantly reduces their chances of detection. Organizations must enforce least privilege, eliminate unnecessary local administrator rights, and tightly control what applications can be installed or executed."
Identity at the center of the attack surface
According to Maude, Fog's approach highlights the critical need for identity-centric security. By capturing credentials through tools like Syteca, attackers can potentially access not just on-prem systems, but cloud and SaaS platforms as well.
"Fog is simply reliant on overprivileged, under-controlled endpoints and exploiting the fact that legitimate applications can be used for nefarious purposes," Maude said. "With identity as the new perimeter, the desire of threat actors to harvest credentials and pivot into SaaS environments is only growing."
New tools, same goals
Trey Ford, CISO at Bugcrowd, emphasized that the use of tools like Syteca and GC2 could indicate either a new actor or an evolution of Fog's capabilities.
"The use of ordinary and legitimate corporate tools does two things for the miscreants: it allows them to potentially bypass allow-listed defenses, and it helps their C2 communications blend into normal traffic, delaying detection," Ford explained. "We should expect this as the norm—why introduce new malware when legitimate software gets the job done?"
Ford also pointed to the broader implications for the security industry. "Moments like these should encourage us to seek diverse perspectives in security testing, transparency in findings, and active vulnerability disclosure and bounty programs. Security technologies themselves must be hardened as rigorously as the environments they protect," he said.
Fog ransomware's latest tactics underscore a growing trend: attackers no longer rely solely on custom malware. Instead, they weaponize common enterprise software, embedding their activity in the normal flow of business operations. For defenders, this raises the bar for detection and response, requiring a stronger focus on identity security, application control, and anomaly detection.
Follow SecureWorld News for more stories related to cybersecurity.
