FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

    Monday, April 21, 2025 In: Threat Research Print

    Date: 04/21/2025

    Severity: High

    Summary

    FOG ransomware is being spread by cybercriminals claiming ties to the Department of Government Efficiency (DOGE). Nine samples with the ".flocked" extension were found, dropping notes urging further spread and referencing DOGE and an FBI-related incident. The active ransomware group has claimed 100 victims since January 2025, mainly targeting tech, education, manufacturing, and transportation sectors. Some campaigns may be impersonators using FOG ransomware to mimic the original operators.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://hilarious-trifle-d9182e.netlify.app/qrcode.png

    https://hilarious-trifle-d9182e.netlify.app/ktool.exe

    https://hilarious-trifle-d9182e.netlify.app/trackerjacker.ps1

    https://hilarious-trifle-d9182e.netlify.app/lootsubmit.ps1

    Hash

    dec35a94e4986765aa69635d02f09f58bfc8756b8fd5e1e9183b26eef0118667

    100cbf5578cfd03950c8606c6131a85635a8278696d3d64ecb629fa09af449e9

    dc5370e1ab5b26ff04b9e34c6dbb37cf6c600b7ac9a394fd519b547b37a6d2d5

    3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91

    44b7eebf7a26d466f9c7ad4ddb058503f7066aded180ab6d5162197c47780293

    8e209e4f7f10ca6def27eabf31ecc0dbb809643feaecb8e52c2f194daa0511aa

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "https://hilarious-trifle-d9182e.netlify.app/qrcode.png" or siteurl like "https://hilarious-trifle-d9182e.netlify.app/qrcode.png" or url like "https://hilarious-trifle-d9182e.netlify.app/qrcode.png" or domainname like "https://hilarious-trifle-d9182e.netlify.app/ktool.exe" or siteurl like "https://hilarious-trifle-d9182e.netlify.app/ktool.exe" or url like "https://hilarious-trifle-d9182e.netlify.app/ktool.exe" or domainname like "https://hilarious-trifle-d9182e.netlify.app/trackerjacker.ps1" or siteurl like "https://hilarious-trifle-d9182e.netlify.app/trackerjacker.ps1" or url like "https://hilarious-trifle-d9182e.netlify.app/trackerjacker.ps1" or domainname like "https://hilarious-trifle-d9182e.netlify.app/lootsubmit.ps1" or siteurl like "https://hilarious-trifle-d9182e.netlify.app/lootsubmit.ps1" or url like "https://hilarious-trifle-d9182e.netlify.app/lootsubmit.ps1"

    Detection Query 2

    sha256hash IN ("dec35a94e4986765aa69635d02f09f58bfc8756b8fd5e1e9183b26eef0118667","100cbf5578cfd03950c8606c6131a85635a8278696d3d64ecb629fa09af449e9","dc5370e1ab5b26ff04b9e34c6dbb37cf6c600b7ac9a394fd519b547b37a6d2d5","3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91","44b7eebf7a26d466f9c7ad4ddb058503f7066aded180ab6d5162197c47780293","8e209e4f7f10ca6def27eabf31ecc0dbb809643feaecb8e52c2f194daa0511aa")

    Reference:

    https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html


    Tags

    MalwareRansomwareFOGDOGEEducationTransportation SystemsCritical ManufacturingInformation TechnologyGovernment Services and Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.