What Happened in the Fog Ransomware Attack?
In May 2025, a financial institution in Asia was hit by a Fog ransomware campaign that involved more than just encryption and extortion. The attackers spent two weeks inside the network, leveraging a mix of legitimate admin tools, open-source pentesting utilities, and espionage techniques. Key tools included:
- GC2: A command-and-control tool previously linked to China’s APT41, using Google Drive and SharePoint for stealthy data exfiltration.
- Syteca: A legitimate employee monitoring tool repurposed for keylogging and screen capture.
- Adaptix C2, Stowaway, PsExec, SMBExec: For lateral movement, persistence, and post-exploitation.
- Freefilesync and MegaSync: For fast, quiet data exfiltration.
The campaign blended espionage tactics with ransomware deployment—suggesting this wasn’t just about money. It was about persistence, stealth, and data access.
Why This Should Worry You—Even If You’re Not a Global Bank
While this attack targeted a financial organization, it mirrors what we see in U.S. education, local government, and credit union environments every day. These industries often lack the internal resources to monitor complex, blended attacks—making them prime targets for threat actors using these exact methods.
How Blackswan MDR + Open XDR Stops This Threat Pattern Cold
Blackswan Cybersecurity’s 24/7 Managed Detection & Response (MDR) and Open XDR platform (powered by Stellar Cyber) are purpose-built for detecting advanced tactics like those used in the Fog attack.
✅ High-Fidelity Ingestion: Our platform integrates logs, telemetry, and endpoint signals from across your environment—no blind spots. We’d catch GC2’s abnormal communication paths, even when disguised as SharePoint traffic.
✅ Anomaly Detection: Lateral movement via PsExec or unusual service creation? Flagged instantly by our AI-driven correlation engine.
✅ Threat Intelligence Correlation: Tools like Adaptix and Stowaway are already mapped to known attacker TTPs in our XDR engine, thanks to continuous threat intel updates.
✅ Expert Human Analysis: Every alert is reviewed by trained analysts—ensuring we catch what automation can’t and minimize false positives.
✅ Rapid Incident Response: If something slips through, we don’t wait. Our MDR team responds fast—containing threats before they cause disruption or data loss.
We Regularly Catch Attacks Like This
Whether it starts with a phishing email, vulnerable server, or abused VPN credentials, our MDR + XDR stack turns complex, multi-tool attacks into manageable signals. This isn’t just theoretical—it’s how we catch threats before encryption starts and while attackers are still moving laterally.
We’re proud to protect school districts, government agencies, and credit unions from the very threats making headlines—without overwhelming their internal teams.
Ready to See It in Action?
Let’s talk about how Blackswan Cybersecurity can help your organization detect and defeat advanced attacks—before they turn into a breach.