From de7855d2b861d80a353e2a76df2def375eadd001 Mon Sep 17 00:00:00 2001
From: CERT Orange Cyberdefense
 <5493049+cert-orangecyberdefense@users.noreply.github.com>
Date: Tue, 5 May 2026 12:37:05 +0200
Subject: [PATCH] readme

---
 smokedham/20260412_smokedham.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 smokedham/20260412_smokedham.md

diff --git a/smokedham/20260412_smokedham.md b/smokedham/20260412_smokedham.md
new file mode 100644
index 0000000..7ef69e2
--- /dev/null
+++ b/smokedham/20260412_smokedham.md
@@ -0,0 +1,17 @@
+
+In early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam backdoor.
+
+In at least one case, the infection chain resulted in the deployment of the Qilin ransomware.
+We attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate UNC2465, historically associated with DarkSide, LockBit and Hunters International distribution.
+
+By pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for delivering SmokedHam typically masqueraded as legitimate utilities like RVTools.
+
+We identified a relatively high number of SmokedHam variants, with different delivery and persistence techniques, indicating a prolific threat actor iterating on tooling.
+We believe this threat actor to be increasingly targeting European organizations since early 2026.
+
+Read the full report (PDF): https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
+
+IoCs: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs
+
+Note: The analysis cut-off date for this report was April 8, 2026.
+Authors: Alexis Bonnefoi, Marine Pichon, and Thomas Brossard
\ No newline at end of file