This week’s TL;DR features two stories, both revolving around recent attacks. One, FOG ransomware, impersonating the DOGE, and another, Lotus Panda, targeting various government and large private bodies in Southeast Asia.
FOG Hackers troll with DOGE
A new campaign by FOG ransomware group discovered. Mainly known for targeting sectors like technology, manufacturing, education, and transportation. Since January 2025, Fog has reportedly compromised over 100 victims, with a significant spike in February.
In this latest campaign, Fog departs from its previous methods of exploiting VPN credentials. Instead, it employs phishing emails containing a malicious ZIP file labeled “Pay Adjustment.zip.” Inside is a deceptive LNK file that, when executed, initiates a series of PowerShell scripts. These scripts download the ransomware payload and perform various functions, including system reconnaissance and lateral movement.
A distinctive feature of this campaign is the DOGE-themed ransom note, referencing Elon Musk’s Department of Government Efficiency (DOGE). The note mockingly offers victims a free decryption key if they agree to distribute the malware to others.
Further analysis reveals that the attackers collect extensive system and network information, including hardware IDs and network configurations. They also employ advanced geolocation techniques by querying the Wigle.net API using the victim’s router MAC address, allowing for precise physical location tracking.
FOG ransomware – TL;DR
The Fog ransomware group has launched a phishing campaign using fake “Pay Adjustment” ZIP files to deploy malware and display DOGE-themed ransom notes mocking victims. The notes reference Elon Musk’s fictional Department of Government Efficiency and offer a decryptor in exchange for spreading the ransomware. Active since January 2025, Fog has hit over 100 targets across multiple sectors, using advanced geolocation via router MAC addresses to track victims.
Lotus Panda hacks multiple government organizations in SE Asia
The Chinese cyber espionage group known as Lotus Panda was linked to a campaign targeting multiple organizations in Southeast Asia. Affected entities include a government ministry, air traffic control organizations, telecommunications, and construction companies within an unnamed Southeast Asian country. Additionally, a news agency in another Southeast Asian nation and an air freight organization in a neighboring country were also compromised.
Symantec’s Threat Hunter Team reports that the attackers used custom tools, including loaders, credential stealers, and a reverse SSH utility. Notably, legitimate executables from Trend Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) were exploited to sideload malicious DLLs.
The campaign also utilized an updated Sagerunex backdoor, exclusive to Lotus Panda, designed to collect and exfiltrate host information. Credential theft tools like ChromeKatz and CredentialKatz were deployed to extract passwords and cookies from Google Chrome. Furthermore, they used the Zrok peer-to-peer tool to facilitate access to internal services and employed “datechanger.exe” to alter file timestamps to hinder forensic analysis.
This appears to be related to attacks in December, targeting sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. Active since 2009, Lotus Panda has a history of targeting governmental and military organizations in Southeast Asia. Employing tactics like spear-phishing and exploiting software vulnerabilities to deploy backdoors such as Elise and Emissary.
Lotus Panda attacks – TL;DR
Lotus Panda, a Chinese cyber-espionage group, targeted Southeast Asian organizations using legitimate software to hide malware that stole data and login credentials. The campaign, active from August 2024 to February 2025, focused on government and critical infrastructure, continuing previous surveillance efforts in the region.
Conclusion
These stories showcase the growing boldness of cyber attackers, both mocking and targeting high-profile institutions. Hammering the point home that very few are invulnerable to attacks such as these. Endpoints are one of the most vulnerable points in the IT security stack. ThinScale specializes in making it the strongest link in the chain. Get in touch now to learn more about how we can secure your environment.
