Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 14:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
CERT Orange Cyberdefense
2026-05-05 12:37:05 +02:00
committed by GitHub
parent 3a8b342b3a
commit de7855d2b8
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
smokedham/20260412_smokedham.md
+17
View File
@@ -0,0 +1,17 @@
In early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam backdoor.
In at least one case, the infection chain resulted in the deployment of the Qilin ransomware.
We attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate UNC2465, historically associated with DarkSide, LockBit and Hunters International distribution.
By pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for delivering SmokedHam typically masqueraded as legitimate utilities like RVTools.
We identified a relatively high number of SmokedHam variants, with different delivery and persistence techniques, indicating a prolific threat actor iterating on tooling.
We believe this threat actor to be increasingly targeting European organizations since early 2026.
Read the full report (PDF): https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
IoCs: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs
Note: The analysis cut-off date for this report was April 8, 2026.
Authors: Alexis Bonnefoi, Marine Pichon, and Thomas Brossard