Rare Tools and Post-Ransom Persistence Mark Unusual Fog Campaign

An intrusion targeting a financial institution in Asia culminated in the deployment of Fog ransomware in May 2025, according to an investigation by Symantec’s Threat Hunter Team. The attackers maintained access to the network for approximately two weeks prior to ransomware deployment, leveraging a suite of unusual tools not commonly observed in ransomware incidents. Symantec notes, "The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adaptix C2 Agent Beacon are also unusual tools to see being used in a ransomware attack." Syteca, an employee monitoring solution, was paired with open-source red-team tools GC2, Adaptix, and Stowaway, revealing a level of operational complexity not typically associated with ransomware operators. Another anomaly was the establishment of service-based persistence even after the ransomware was deployed—an uncommon tactic for financially motivated actors. Symantec observed, "This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim’s network."

While the initial intrusion vector remains unknown, two reported compromised systems were Microsoft Exchange servers, which have historically served as targets for exploitation. The first signs of attacker activity involved the installation of red-team tools, followed by native Windows reconnaissance commands such as "whoami," "net," "ipconfig," and "netstat". Shortly after, Syteca was launched using "regsvr32.exe," loading DLLs related to sound capture and credential monitoring suggesting use for surveillance functions like screen capture and keylogging. The attackers later attempted to evade detection by executing "taskkill" commands to terminate Syteca-related processes and remove binaries and configurations using PsExec. Symantec documented specific command executions aimed at removing Syteca indicators across various endpoints and public folders.

Lateral movement across the network was facilitated using PsExec and SMBExec. PsExec was used to launch GC2 on remote hosts and to delete traces of Syteca, while SMBExec was employed to distribute Syteca executables. GC2, an open-source command-and-control platform that communicates via Google Sheets and SharePoint Lists, enabled the attackers to issue remote commands, upload and download files, and execute shellcode features comparable to traditional commercial C2 frameworks. Additional tooling included Adaptix C2 Agent Beacon, used to maintain access through encrypted callbacks, and Process Watchdog to ensure GC2 remained continuously operational. Data collection and exfiltration relied on 7-Zip along with FreeFileSync and MegaSync to offload stolen data.

The final phase of the attack involved the deployment of Fog ransomware, followed by actions indicative of persistence planning rather than typical ransomware withdrawal behavior. Impacket SMB tooling was used on the day of ransomware execution, likely to push the payload. Days later, the attackers registered a Windows service named “SecurityHealthIron” to run a binary tied to GC2, using the sc create command to establish it for auto-start. This persistence technique points to long-term access planning, deviating from typical ransomware operations focused solely on encryption and extortion. Symantec’s findings raise the possibility of espionage objectives disguised beneath a ransomware incident, or a hybrid operation combining data theft and financial extortion under one campaign.