Navigating Through The Fog

April 28, 2025, 8:50 a.m.

Description

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Active Directory vulnerabilities. Persistence was maintained via AnyDesk, automated by a PowerShell script. Sliver C2 executables were used for command-and-control operations. The victims spanned multiple industries across Europe, North America, and South America, highlighting the affiliate's broad targeting scope. The toolkit included SonicWall Scanner, DonPAPI, Certipy, Zer0dump, and Pachine/noPac for various attack stages.

External References

https://thedfirreport.com/2025/04/28/navigating-through-the-fog
https://otx.alienvault.com/pulse/680f0738479d23f04a10d198
Tags
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory

Date

  • Created: April 28, 2025, 4:42 a.m.
  • Published: April 28, 2025, 4:42 a.m.
  • Modified: April 28, 2025, 8:50 a.m.

Indicators

  • 194.48.154.79
Download all indicators here!

Attack Patterns

  • Fog ransomware
  • Sliver
  • Fog ransomware group

Additional Informations

  • Retail
  • Technology
  • Transportation
  • Education
  • Greece
  • Italy
  • Brazil
  • United States of America

Linked vulnerabilities

CVE-2020-1472

None
Published:

CVE-2021-42278

None
Published:

CVE-2021-42287

None
Published: