mirror of
https://github.com/cert-orangecyberdefense/cti
synced 2026-06-08 14:45:26 +00:00
readme
This commit is contained in:
CERT Orange Cyberdefense
committed by
GitHub
GitHub
parent
3a8b342b3a
commit
de7855d2b8
@@ -0,0 +1,17 @@
|
|||||||
|
|
||||||
|
In early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam backdoor.
|
||||||
|
|
||||||
|
In at least one case, the infection chain resulted in the deployment of the Qilin ransomware.
|
||||||
|
We attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate UNC2465, historically associated with DarkSide, LockBit and Hunters International distribution.
|
||||||
|
|
||||||
|
By pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for delivering SmokedHam typically masqueraded as legitimate utilities like RVTools.
|
||||||
|
|
||||||
|
We identified a relatively high number of SmokedHam variants, with different delivery and persistence techniques, indicating a prolific threat actor iterating on tooling.
|
||||||
|
We believe this threat actor to be increasingly targeting European organizations since early 2026.
|
||||||
|
|
||||||
|
Read the full report (PDF): https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
|
||||||
|
|
||||||
|
IoCs: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs
|
||||||
|
|
||||||
|
Note: The analysis cut-off date for this report was April 8, 2026.
|
||||||
|
Authors: Alexis Bonnefoi, Marine Pichon, and Thomas Brossard
|
||||||
Reference in New Issue
Block a user