In May 2025, an unnamed financial institution in Asia was targeted by Fog ransomware hackers. The attackers utilized legitimate employee monitoring software Syteca (formerly Ekran) and several open-source pen-testing tools, including GC2, Adaptix, and Stowaway. This tactic, described as 'living off the land,' allowed the attackers to operate more stealthily, reducing the likelihood of detection. The use of legitimate software in the attack chain was deemed highly unusual and reflects a shift in the tactics employed by Fog hackers.
TPRM report: https://scoringcyber.rankiteo.com/company/jpmorganchase
"id": "jpm602061325",
"linkid": "jpmorganchase",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Finance',
'location': 'Asia',
'type': 'Financial Institution'}],
'attack_vector': 'Legitimate software and open-source pen-testing tools',
'date_detected': 'May 2025',
'description': 'Fog ransomware hackers used legitimate employee monitoring '
'software Syteca and several open-source pen-testing tools '
'alongside usual encryption to attack an unnamed financial '
'institution in Asia.',
'investigation_status': 'Investigation ongoing',
'lessons_learned': 'Expect the use of ordinary and legitimate corporate '
'software as the norm in ransomware attacks.',
'motivation': 'Financial Gain',
'ransomware': {'data_encryption': True, 'ransomware_strain': 'Fog'},
'references': [{'source': 'Symantec researchers'}],
'response': {'third_party_assistance': 'Symantec researchers'},
'threat_actor': 'Fog Ransomware Hackers',
'title': 'Fog Ransomware Attack on Financial Institution',
'type': 'Ransomware'}