Fog Malware Unveiled: Ransomware Group Uses Syteca Surveillance Software & APT-Linked Tools
Do Son 
The criminal syndicate behind the Fog malware has adopted an unorthodox arsenal of tools for its campaigns, combining legitimate surveillance software with rare open-source utilities. This eclectic toolkit enabled the attackers to circumvent conventional defenses and conduct covert espionage operations within compromised networks.
The group’s activity was first identified in May 2024, when threat actors infiltrated victim environments by exploiting compromised VPN credentials. Once inside, they employed pass-the-hash techniques to escalate privileges, disabled Windows Defender’s built-in protections, and encrypted vast swathes of data, including virtual machine images. Over time, the operators expanded their attack surface by exploiting vulnerabilities in Veeam Backup & Replication servers and insecure SSL VPN devices manufactured by SonicWall.
A new surge in the group’s operations was detected in May by researchers at Symantec and analysts from Carbon Black during an investigation into an incident at a financial institution in Asia. This time, the threat actors deployed an array of tools seldom seen in ransomware campaigns, showcasing a level of sophistication that defied precedent.
Among the most unexpected discoveries was Syteca (formerly Ekran), a legitimate corporate surveillance application designed to monitor employees by recording screens and logging keystrokes. In the hands of cybercriminals, however, such software becomes a formidable instrument for stealthily harvesting login credentials entered by unsuspecting users.
To deploy Syteca, the attackers utilized Stowaway, an open-source proxy utility that enables covert file transfers and connection management. Execution was orchestrated via SMBExec—a counterpart to PsExec bundled within the widely used Impacket library, often employed for lateral movement across networks.
Another remarkable inclusion was GC2, a rarely seen post-exploitation tool in ransomware operations. Controlled via Google Sheets or Microsoft SharePoint, GC2 can be used as a communication channel to the command-and-control server or to exfiltrate sensitive data. Previously, it had only been observed in campaigns attributed to the Chinese APT group APT41.
Additional components of Fog’s toolkit included:
- Adapt2x — a Cobalt Strike alternative used for post-exploitation activities;
- Process Watchdog — a monitoring utility that ensures the persistence of critical system processes;
- PsExec — Microsoft’s classic remote execution tool;
- Impacket SMB — a Python library for interfacing with the SMB protocol, likely used to deploy the ransomware payload itself.
For data staging and exfiltration, the attackers leveraged a combination of tools: 7-Zip for compression, and MegaSync and FreeFileSync for file transfers to external infrastructure.
Symantec researchers emphasize that the tools employed in this campaign render it highly atypical. The use of legitimate enterprise-grade software and obscure command-and-control mechanisms, such as Syteca and GC2, had not previously been observed in ransomware operations. This strategy aids adversaries in evading detection systems, prolonging their presence within compromised networks and increasing the overall impact of their campaigns.
Donate