Cybersecurity researchers discovered a complex new ransomware campaign in which cybercriminals spread Fog ransomware by claiming affiliation with the Department of Government Efficiency (DOGE), a new US government initiative. The malware is delivered by phishing emails with weaponized attachments designed to appear legitimate to unsuspecting users.
 

What’s Notable and Unique

• Threat actors transmit a ZIP file named “Pay Adjustment.zip” containing a malicious LNK file masquerading as a PDF document. When clicked, the file initiates a complex infection chain that leads to data encryption and, ultimately, ransom demands.

 

• The campaign was discovered through analysis of nine samples uploaded to VirusTotal between March 27th and April 2nd, 2025. It demonstrates a concerning rise in ransomware tactics that combine sophisticated technical skills with political references. Victims of this campaign come from a wide range of industries, including technology, education, manufacturing, transportation, business services, healthcare, retail, and consumer services.

 

Analyst Comments

Fog ransomware’s most recent campaign using the DOGE name indicates a commitment to continuing operations and some level of understanding of US culture. Currently, it is not known if this campaign is targeted towards US government personnel, but Arete assesses that the campaign would have a higher rate of success and impact if it proves to be a targeted campaign. Arete will continue monitoring this campaign and other Fog ransomware activity.
 

Sources

• FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
• 
  ‘Fog’ Hackers Troll Victims With DOGE Ransom Notes