Threat Actor Profile
High
Cybercriminal
Description
Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. By June, Storm-0844 was deploying Fog more than Akira.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Fog, which uses the .flocked extension for encrypted files, '
'was first observed in May in campaigns by Storm-0844, a '
'threat actor known for distributing Akira. By June, '
'Storm-0844 was deploying Fog more than Akira.',
'firstseen': '2021-12-20T00:00:00+00:00',
'group': 'fog',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2025-03-20T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion',
'slug': 'http://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion/',
'title': '500 Internal Server Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion',
'slug': 'http://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion/posts',
'title': 'Blog',
'type': 'DLS'}],
'negotiation_count': 6,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion',
'slug': 'http://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion/',
'title': '500 Internal Server Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion',
'slug': 'http://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion/posts',
'title': 'Blog',
'type': 'DLS'}],
'negotiation_count': 6,
'ransomnotes_count': 2,
'ransomware_live_group': 'fog',
'tools': {'CredentialTheft': ['DonPAPI',
'Veeam-Get-Creds'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced Port Scanner',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': ['Powercat', 'Proxychains'],
'Offsec': ['Certipy',
'Impacket',
'Metasploit',
'NetExec',
'Orpheus',
'Sliver',
'Zer0dump'],
'RMM-Tools': ['AnyDesk']},
'url': 'https://www.ransomware.live/group/fog',
'victims': 189,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['DonPAPI', 'Veeam-Get-Creds'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced Port Scanner',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': ['Powercat', 'Proxychains'],
'Offsec': ['Certipy',
'Impacket',
'Metasploit',
'NetExec',
'Orpheus',
'Sliver',
'Zer0dump'],
'RMM-Tools': ['AnyDesk']},
'ttps': [],
'url': 'https://www.ransomware.live/group/fog',
'victims': 189,
'vulnerabilities': []}