Research from Symantec and the Carbon Black Threat Hunter team reveals that the Fog ransomware group utilizes an uncommon toolset, including open-source pentesting utilities and Syteca, a legitimate employee monitoring software. 

Security Leaders Weigh In

Mr. Akhil Mittal, Senior Manager at Black Duck:

The real danger in this case isn’t the ransom note — it’s how Fog turns a simple screen-recorder into a hidden camera. Software is an essential driver of growth and innovation for every company; however, business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot. Security teams should keep a live map of where every monitoring app is allowed to run and flag it the moment one pops up somewhere odd. For example, if HR software runs on a database server, that’s your warning sign.

Shane Barney, Chief Information Security Officer at Keeper Security: 

Today’s attackers don’t loudly break in — they quietly blend in. The Fog ransomware group is a prime example, orchestrating well-planned intrusions that blur the line between cybercrime and espionage. Instead of relying solely on malware, they’re combining legitimate employee monitoring software with open-source penetration tools to build attack chains that are both covert and highly effective. Living Off The Land (LOTL) is a fileless malware technique where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack. Tools like Syteca, typically used to track insider activity, are being repurposed to silently harvest credentials and monitor employee behavior in real time. That’s a chilling evolution.

This level of creativity isn’t an outlier — it reflects a growing trend. Ransomware groups are becoming highly adaptable, resourceful adversaries who operate outside of traditional playbooks. The damage extends beyond encrypted files; it’s about the loss of control, visibility and trust in your systems long before the ransom demand is made.  LOTL attacks are far more difficult to detect with common security tools.  This provides the attacker with the dwell time necessary to escalate privileges, steal data and set backdoors for future access.

To defend against these threats, organizations must take a modern, proactive approach to security. That means locking down credentials, limiting privileged access and continuously monitoring for unusual activity across remote access points and backup infrastructure. Organizations also need to stop relying on Indicators of Compromise (IOCs) alone and incorporate the use of Indicators of Attack (IOAs) as part of their security program.   The goal isn’t just prevention — it’s resilience.

Trey Ford, Chief Information Security Officer at Bugcrowd:

Tactics, techniques, procedures (TTPs) are used as fingerprints to identify actor groups — when common tools, platforms, or infrastructure are used, we gain confidence as defenders in our hypothesis on which Threat Actor group we're dealing with. The appearance of new tool kits in play could speak to the evolution of existing actors, or a newly formed group emerging.

The use of ordinary and legitimate corporate tools does two things for the miscreants:

1. It may allow accidental bypass from other security tools in an environment, as known software is baked into allow-listing groups which may have been enabled. In this case the use of Syteca for gathering credentials and monitoring the environment may have been ignored by security tooling.
2. The use of expected productivity platforms (e.g. Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit.

We should expect the use of ordinary and legitimate corporate software as the norm — we refer to this as living off the land. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when “allowable” software gets the job done for them?

We have long seen Threat Actors exploiting vulnerability research in security technologies, and for good reason. The old adages here ring true (“the cobbler’s kids have no shoes” and “never drive the mechanic’s car”) in that security software can't ever have enough scrutiny. The eternal vigilance required to build self-defending security platforms knows no end. Moments like these should encourage us to seek diverse perspectives in security testing, transparency in findings, and active vulnerability disclosure and bounty programs incentivizing partnership with the research community.