A recently uncovered open directory, attributed to a suspected affiliate of the Fog ransomware group, has revealed a sophisticated arsenal of tools and scripts meticulously engineered for the compromise and exploitation of Active Directory environments.
The discovery, made public in December 2024 by the DFIR Report’s Threat Intel Group, illuminates the operational infrastructure underlying current ransomware campaigns and highlights the group’s persistent targeting of enterprises across technology, education, and logistics sectors globally.
The directory, located on a public-facing server (194.48.154.79:80), was first identified through open-source intelligence and confirmed to host extensive exploitation toolkits.
Initial access methodologies were reconnoitered to involve the use of compromised SonicWall VPN credentials.
The attackers automated this access using a bespoke Python-based SonicWall Scanner, which parsed credential sets and interfaced with SonicWall appliances via command-line utilities, then leveraged Nmap for subsequent network reconnaissance.
Active Directory and Credential Exploitation
Once inside, attackers deployed a suite of tools specifically targeting Active Directory weaknesses.
DonPAPI and Impacket’s dpapi.py facilitated the extraction of Data Protection API (DPAPI) secured credentials-including browser tokens, certificates, and credential manager secrets-from compromised hosts.
For privilege escalation, Zer0dump was employed to exploit the notorious Zerologon (CVE-2020-1472) vulnerability, granting attackers the means to elevate permissions to Domain Admin.
Further, privilege escalation and lateral movement were supported by tools such as Pachine and noPac, leveraging Active Directory vulnerabilities CVE-2021-42278 and CVE-2021-42287 to impersonate high-privilege accounts.
Certipy was utilized to enumerate and exploit vulnerable Active Directory Certificate Services (AD CS) templates, allowing for the forging of authentication certificates used in further attacks.
Persistence was maintained via the deployment of AnyDesk, a legitimate remote access tool, automated through a PowerShell script (“any.ps1”) that silently installed AnyDesk and configured hardcoded credentials.
The presence of Sliver C2 binaries, including sliver-client and server versions, confirmed the use of advanced command-and-control frameworks, also referenced within the ThreatFox database.
Proxychains and Powercat scripts were employed to tunnel traffic and execute post-exploitation payloads, minimizing the forensic footprint.
Evidence within the directory pointed to multiple victims spanning Italy, Greece, Brazil, and the United States, with a concentration in technology, educational, and logistics verticals.
Notably, data relating to compromised organizations was aligned with subsequent disclosures on the Fog ransomware group’s Dedicated Leak Site, corroborating the affiliate’s role.
Further, analysis of domain artifacts and bash history files confirmed successful intrusions into internal enterprise environments.
According to the Report, The exposure of this directory presents a rare window into the operational toolset of a modern ransomware affiliate.
The combination of credential theft, privilege escalation, lateral movement, and persistence mechanisms underscores the necessity for enterprises to maintain robust patching and credential hygiene, monitor for abuse of legitimate remote management tools, and implement vigilant network detection for C2 activity.
Security researchers continue to collaborate on mapping emerging ransomware infrastructures, with this incident serving as a testament to the evolving technical sophistication in attacker playbooks.
Additional information on the Fog ransomware group’s methods is available from threat intelligence organizations including Arctic Wolf and SentinelOne.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
