- An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence.
- Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement.
- Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials.
- Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling.
- The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.
4815 links
