Cybersecurity researchers have uncovered a publicly accessible server operated by an affiliate of the Fog ransomware group, revealing a suite of tools and scripts designed for Active Directory exploitation. The server, hosted at 194.48.154.79:80, contained reconnaissance, credential theft, lateral movement, and persistence mechanisms, according to findings by The DFIR Report’s Threat Intel Group1. This discovery highlights the group’s evolving tactics, which include leveraging known vulnerabilities like Zerologon (CVE-2020-1472) and noPac (CVE-2021-42278) for lateral movement2.
Key Findings and Attack Chain
The Fog ransomware group, first observed in April 2024, has targeted sectors such as education (19%), technology (17%), and manufacturing (15%)3. Their attack chain begins with phishing emails containing malicious ZIP attachments or exploited VPN credentials (CVE-2023-0656). Once inside, attackers deploy PowerShell scripts like stage1.ps1 and lootsubmit.ps1 to deliver payloads in memory. Persistence is achieved through startup folder modifications, often masquerading as legitimate processes like Adobe Acrobat.exe4.
Lateral movement relies on tools such as Cobalt Strike, NetExec, and Impacket, while data exfiltration occurs via MEGAsync or direct uploads to attacker-controlled servers. Notably, the group uses the Wigle.net API to geolocate victims based on router BSSIDs5.
Tools and Techniques
The open directory revealed several specialized tools:
| Tool | Function |
|---|---|
| Certipy | Exploits Active Directory Certificate Services for privilege escalation |
| DonPAPI | Extracts DPAPI credentials from browsers and vaults |
| Havoc C2 | Post-exploitation framework embedded in ktool.exe |
MITRE ATT&CK mappings include T1078 (Valid Accounts) for VPN abuse and T1486 (Data Encrypted for Impact) for file encryption6.
Indicators of Compromise (IoCs)
Critical IoCs from the investigation include:
- Payloads: SHA-256 hashes
B6360765c786ceee0eb28bee64709172b4e2e066449968e011390be1afd8f36c(Fog) and3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91(DOGE variant) - C2 Servers: IP
194.48.154.79(Sliver C2) and URLhxxps://hilarious-trifle-d9182e.netlify[.]app/stage1[.]ps1
Recommendations for Mitigation
Organizations should prioritize patching Zerologon and noPac vulnerabilities, enforce MFA for VPN/RDP access, and monitor for anomalous PowerShell activity. Offline backups and dark web monitoring for leaked data are also critical7.
Conclusion
The exposure of Fog’s toolkit underscores the group’s sophistication and reliance on publicly available exploits. With ransom demands averaging $220,000 (often in Monero), proactive defense measures are essential to mitigate risks posed by this evolving threat.
References
- “Navigating Through the Fog,” The DFIR Report, Apr. 28, 2025.
- “DOGE BIG BALLS Ransomware False Attribution,” Cyble, Apr. 2025.
- “Dark Web Profile: Fog Ransomware,” SOCRadar, 2025.
- “Fog Ransomware Concealed Within Binary Loaders,” Trend Micro, 2025.
- “Lifting the Fog: Darktrace’s Investigation,” Darktrace, 2025.
- “Fog’s DOGE-Themed Ransom Notes,” Dark Reading, 2025.
- “Fog Ransomware Reveals Active Directory Exploitation,” GBHackers, 2025.
