Summary:
Trend Micro researchers recently analyzed a new wave of FOG ransomware samples being distributed via phishing campaigns. A total of nine samples were uploaded to VirusTotal between March 27 and April 2, each embedded in a ZIP file named “Pay Adjustment.zip” containing a malicious LNK file disguised as a PDF. Once opened, this LNK file triggers a PowerShell script named stage1.ps1, initiating a multi-stage infection chain that downloads additional tools, and further PowerShell scripts. These payloads not only launch the ransomware but also include political messaging, open themed YouTube videos, and contain text directly criticizing government institutions, a likely attempt to sow confusion or manipulate sentiment. The ransomware drops a note referencing the Department of Government Efficiency (DOGE), a real U.S. government initiative, possibly as trolling or to imply insider involvement. The ransom notes include instructions to propagate the malware across the network using embedded PowerShell commands.

The payload also includes scripts, which perform host reconnaissance and data exfiltration. These scripts collect detailed system data, including IP addresses, MAC addresses, CPU specs, registry data, and geolocation using the Wigle API, sending it to a remote Netlify-hosted domain. Another component, ktool[.]exe, exploits a known vulnerability in Intel’s Network Adapter Diagnostic Driver for privilege escalation, by extracting the driver to %TEMP% and passing in a target PID and a hardcoded AES key. Additionally, a Monero wallet address is revealed via a QR code image, used for anonymous ransom payments. Prior to activation, the malware conducts sandbox evasion checks — including processor count, RAM, and tick count exiting if signs of analysis are detected.


Security Officer Comments:
Trend Micro’s analysis shows that all samples dropped a .flocked extension on encrypted files and a readme.txt ransom note, consistent with previous FOG ransomware campaigns. The binary payload is encrypted and embedded in the loader’s data section, decrypted during runtime using a hardcoded key. It also drops dbgLog.sys, which logs encryption-related events — another behavior observed in earlier variants of FOG. The threat actors behind these samples may either be the original FOG ransomware group or others who have repurposed its codebase and branding. Regardless, the campaign shows that FOG ransomware remains active, having claimed over 100 victims in the first quarter of 2025, with peak activity in February (53 victims). Victims span the technology, education, manufacturing, transportation, healthcare, retail, business services, and consumer services sectors.


Suggested Corrections:

• Maintain up-to-date, secure backups of all critical data. Regularly test restoration processes to ensure data can be recovered quickly in the event of an attack.
• Implement network segmentation to limit the spread of ransomware across your organization. By isolating sensitive data and critical systems, you can prevent widespread damage.
• Regularly update and patch application software, operating systems, and other applications to ensure that you close vulnerabilities that attackers could exploit.
• Conduct regular training sessions for employees to recognize phishing attempts and suspicious links.

Link(s):
https://www.trendmicro.com/en_us/re...-within-binary-loaders-linking-themselve.html