A newly discovered ransomware operation dubbed Fog is raising fresh concerns in the cybersecurity community after researchers found it leveraging a highly unusual mix of legitimate business software and open-source offensive security tools. The campaign, observed in June 2025, is part of a growing trend where cybercriminals are repurposing trusted programs to evade traditional detection methods and maximise their post-exploitation capabilities.
The attackers behind Fog aren’t simply deploying encryption and demanding payment; they’re laying the groundwork for stealth and persistence. Their toolkit includes Syteca employee-monitoring software, legitimate Windows utilities such as PsExec, and open-source penetration testing tools, including GC2 (a Google Sheets–based backdoor), Stowaway proxy, Sliver, and Ligolo. The combination of these tools allows the attackers to disable security systems, move laterally across networks, exfiltrate data, and monitor victims—all without triggering the usual alarms.
“Fog ransomware’s use of legitimate tools such as Syteca, combined with open-source pen testing tools, shows how attackers are finding new ways to bypass standard security measures,” said Nicolette Carklin, technical writer at SecureFlag. “It’s an indication that security can’t rely on traditional defences alone, and that secure development practices need to be part of the process to reduce these kinds of risks.”
Indeed, Fog’s stealthy nature is what sets it apart. Rather than exploiting exotic zero-day vulnerabilities, threat actors focus on exploiting avoidable weaknesses, including poor configuration, credential mismanagement, and unmonitored third-party components, all of which can be addressed if detected early in the development lifecycle.
“This attack is a pertinent reminder that many of these trusted tools exploit weaknesses that arise during software design, implementation, or configuration, areas where developer awareness can make a significant difference,” Carklin added. “For example, improper credential handling, overly permissive access rights, and unmonitored third-party components create openings for these kinds of post-exploitation tactics. The attackers’ use of pass-the-hash techniques and n-day exploits also highlights the need for secure configuration and prompt patching to close off potential entry points.”
The broader lesson from Fog is that trust can no longer be assumed, especially when it comes to widely used business applications. The campaign’s misuse of Syteca’s screen monitoring functionality, for example, turned a standard workplace productivity tool into a covert surveillance asset. This blurring of lines between legitimate software and malicious intent is emblematic of a new kind of ransomware playbook – one that doesn’t just demand a ransom but also quietly siphons data in the background.
“The real danger in this case isn’t the ransom note, it’s how Fog turns a simple screen-recorder into a hidden camera,” warned Akhil Mittal, senior security consulting manager at Black Duck. “Software is an essential driver of growth and innovation for every company; however, business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot. Security teams should maintain a live map of where every monitoring app is authorised to run and flag it the moment one appears in an unexpected location. For example, if HR software runs on a database server, that’s your warning sign.”
Nivedita Murthy, senior security consultant at Black Duck, added, “The use of legitimate open-source tools for malicious purposes is interesting. This reiterates the need to monitor the use of open-source software within the organisation. Open-source software can be updated by anyone unless the developer has restricted contributions to the code. It is also important to check how often these tools are updated and test them in a sandbox before implementing them within an organization’s network. As part of this test, you should also check for all calls outside of the network or any changes in privileges. It is also important to do a regular inventory audit of all tools and software installed on your system to check for any outliers.”
Murthy’s warning adds a layer of urgency to open-source governance practices, especially as many organisations adopt DevOps and shift-left security strategies. Without proper vetting, sandbox testing, and ongoing inventory monitoring, even seemingly harmless tools can become a foothold for ransomware actors seeking stealth and persistence.
This situational awareness is key. Experts agree that reactive cybersecurity strategies, those focused solely on detection and response, are no longer sufficient. Instead, prevention must begin at the earliest stages of software development, where misconfigurations and exploitable code paths can be designed out of the product altogether.
“Developing software with a ‘secure by design’ mindset and equipping developers to recognise potential abuse paths remains one of the most effective ways to limit the impact of such attacks,” Carklin said. “Prevention begins not only in the SOC but also at the design and development stages, where threat modeling, secure coding, and understanding attacker techniques can reduce the risk of exploitation later in the pipeline.”
Fog’s tactics are a powerful reminder that the battleground for ransomware is no longer limited to the endpoint. It now spans the entire software and infrastructure lifecycle, from the design decisions of developers to the deployment practices of IT teams and the trust assumptions of end users. Organisations hoping to defend against these next-generation threats must combine secure coding, proactive software governance, and continuous monitoring into a unified cybersecurity strategy.
