Navigating Through The Fog

The DFIR Report’s Threat Intel Group identified an exposed web directory (194.48.154.79:80) in December 2024 containing tools and artifacts used by a ransomware affiliate likely tied to the Fog group; the directory hosted C2 components (Sliver), credential stealing and AD exploitation tools (DonPAPI, Certipy, Zer0dump, Pachine/noPac), a SonicWall VPN scanner with potentially compromised credentials, AnyDesk persistence automation, and victim data spanning multiple industries and countries, indicating an active, organized ransomware campaign leveraging credential theft, AD exploitation, lateral movement, and C2 infrastructure.