mirror of
https://github.com/cert-orangecyberdefense/cti
synced 2026-06-08 14:45:26 +00:00
CERT Orange Cyberdefense
17 lines
1.2 KiB
Markdown
17 lines
1.2 KiB
Markdown
|
|
In early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam backdoor.
|
|
|
|
In at least one case, the infection chain resulted in the deployment of the Qilin ransomware.
|
|
We attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate UNC2465, historically associated with DarkSide, LockBit and Hunters International distribution.
|
|
|
|
By pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for delivering SmokedHam typically masqueraded as legitimate utilities like RVTools.
|
|
|
|
We identified a relatively high number of SmokedHam variants, with different delivery and persistence techniques, indicating a prolific threat actor iterating on tooling.
|
|
We believe this threat actor to be increasingly targeting European organizations since early 2026.
|
|
|
|
Read the full report (PDF): https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
|
|
|
|
IoCs: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs
|
|
|
|
Note: The analysis cut-off date for this report was April 8, 2026.
|
|
Authors: Alexis Bonnefoi, Marine Pichon, and Thomas Brossard |