• An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence.
• Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement.
• Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials.
• Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling.
• The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.

Resecurity identified bad actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.