Fog Ransomware Uses Pentesting Tools to Steal Data and Launch Attacks

Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime: hackers are using open-source penetration testing tools and genuine staff monitoring software to breach networks, steal confidential data, and initiate ransomware attacks.

This unprecedented blend of tactics has targeted major financial institutions, raising alarms among cybersecurity professionals.

Unprecedented Toolset in a Ransomware Attack

A May 2025 attack on an Asian financial institution involved the deployment of Fog ransomware, accompanied by a highly unusual toolset.

Among the novel features was the use of Syteca (formerly Ekran), a legitimate employee monitoring software. This marks a rare event, as Syteca is not typically associated with ransomware campaigns.

Additionally, the attackers introduced several open-source penetration testing tools like GC2, Adaptix, and Stowaway tools not commonly seen in ransomware operations.

GC2, for example, is an open-source tool that uses Google Sheets or Microsoft SharePoint Lists as ...