Fog ransomware hackers, known for targeting US educational institutions, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption.
While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a behavior they found âhighly unusualâ in a ransomware attack chain.
Reflecting on the shift in Fogâs tactics, Bugcrowdâs CISO, Trey Ford, said, âWe should expect the use of ordinary and legitimate corporate software as the normâwe refer to this as âliving off the landâ. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when âallowableâ software gets the job done for them?â
