A newly discovered ransomware operation dubbed Fog is raising fresh concerns in the cybersecurity community after researchers found it leveraging a highly unusual mix of legitimate business software and open-source offensive security tools. The campaign, observed in June 2025, is part of a growing trend where cybercriminals are repurposing trusted programs to evade traditional detection methods and maximise their post-exploitation capabilities.
The attackers behind Fog aren’t simply deploying encryption and demanding payment; they’re laying the groundwork for stealth and persistence. Their toolkit includes Syteca employee-monitoring software, legitimate Windows utilities such as PsExec, and open-source penetration testing tools, including GC2 (a Google Sheets–based backdoor), Stowaway proxy, Sliver, and Ligolo. The combination of these tools allows the attackers to disable security systems, move laterally across networks, exfiltrate data, and monitor victims—all without triggering the usual alarms.
“Fog ransomware’s use of legitimate tools such as Syteca, combined with open-source pen testing tools, shows how attackers are finding new ways to bypass standard security measures,” said Nicolette Carklin, technical writer at SecureFlag. “It’s an indication that security can’t rely on traditional defences alone, and that secure development practices need to be part of the process to reduce these kinds of risks.”
Indeed, Fog’s stealthy nature is what sets it apart. Rather than exploiting exotic zero-day vulnerabilities, threat actors focus on exploiting avoidable weaknesses, including poor configuration, credential mismanagement, and unmonitored third-party components, all of which can be addressed if detected early in the development lifecycle.
“This attack is a pertinent reminder that many of these trusted tools exploit weaknesses that arise during software design, implementation, or configuration, areas where developer awareness can make a significant dif ..
Support the originator by clicking the read the rest link below.
