CERT Orange Cyberdefense
1.2 KiB
In early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam backdoor.
In at least one case, the infection chain resulted in the deployment of the Qilin ransomware. We attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate UNC2465, historically associated with DarkSide, LockBit and Hunters International distribution.
By pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for delivering SmokedHam typically masqueraded as legitimate utilities like RVTools.
We identified a relatively high number of SmokedHam variants, with different delivery and persistence techniques, indicating a prolific threat actor iterating on tooling. We believe this threat actor to be increasingly targeting European organizations since early 2026.
Read the full report (PDF): https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
IoCs: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs
Note: The analysis cut-off date for this report was April 8, 2026. Authors: Alexis Bonnefoi, Marine Pichon, and Thomas Brossard