A financial institution in Asia was targeted by Fog ransomware in May 2025, using an atypical toolset including legitimate employee monitoring software and open-source pentesting tools. The attackers deployed Syteca, GC2, Adaptix, and Stowaway, which are uncommon in ransomware attacks. They remained on the network for two weeks before deploying the ransomware and unusually established persistence afterward. The attack involved lateral movement, data theft, and attempts to delete evidence. The use of these tools and the persistence suggest possible espionage motives alongside the ransomware deployment. This incident highlights the importance of guarding against such sophisticated and unusual attack methodologies.