{
	"id": "d95ce89c-a541-468e-b5cf-d502d3510d92",
	"created_at": "2026-05-06T02:02:30.19947Z",
	"updated_at": "2026-05-06T02:03:52.692636Z",
	"deleted_at": null,
	"sha1_hash": "151dc0a02c21288bbb1bc0ed38dba74591f65c4b",
	"title": "Smoking Out an Affiliate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2026-04-13T10:09:23Z",
	"file_modification_date": "2026-04-13T10:09:23Z",
	"file_size": 1450382,
	"plain_text": "Smoking Out\r\nan Affiliate:\r\nSmokedHam, Qilin, a few\r\nGoogle ads and some\r\nbossware\r\n \r\n \r\n \r\n \r\n8th April, 2026\r\nAlexis Bonnefoi\r\nMarine Pichon\r\nThomas Brossard\r\n \r\n \r\nTLP:CLEAR\n\nSmoking Out an Affiliate 2\r\n \r\nIndex\r\n1 Introduction .......................................................................................................... 3\r\n2 Infection chain ..................................................................................................... 4\r\n2.1 Initial compromission .............................................................................................................. 4\r\n2.2 Post-compromise activities ..................................................................................................... 4\r\n2.3 Data exfiltration and Qilin deployment .................................................................................... 5\r\n3 Technical analysis of SmokedHam .................................................................... 6\r\n3.1 Comparison between SmokedHam and GitHub’s ThunderShell builder ................................ 6\r\n3.2 Persistence mechanisms ........................................................................................................ 6\r\n3.3 Payload delivery and reconstruction ....................................................................................... 7\r\n3.4 C2 communications ................................................................................................................ 8\r\n3.5 Malware evolution ................................................................................................................... 9\r\n3.5.1 Persistence variations and anti-sandbox features ............................................... 12\r\n3.5.2 Installer execution chain variations ...................................................................... 12\r\n3.5.3 SmokedHam features variations .......................................................................... 14\r\n3.5.4 Cacciatore: an alternate python backdoor ........................................................... 15\r\n3.6 Code-signing certificates ...................................................................................................... 16\r\n4 Infrastructure analysis ...................................................................................... 18\r\n4.1 SmokedHam delivery infrastructure ...................................................................................... 18\r\n4.2 SmokedHam C2 infrastructure ............................................................................................. 19\r\n5 Attribution .......................................................................................................... 20\r\n6 Conclusion ......................................................................................................... 22\r\n7 Hunting recommendations ............................................................................... 23\r\n8 Sources .............................................................................................................. 24\n\nSmoking Out an Affiliate 3\r\n \r\n1 Introduction\r\nBetween early February and early April 2026, Orange Cyberdefense CERT was involved in\r\nseparate malvertising incidents affecting three European clients. All three infection chains\r\nobserved by our analysts revealed the use of the SmokedHam backdoor, delivered through\r\nmalvertising and masquerading as common utility installers for RVTools or Remote Desktop\r\nManager (RDM).\r\nIn one particular incident, the SmokedHam infection led to the deployment of Qilin\r\nransomware. This case also featured:\r\n• The use of two employee monitoring solutions to further blend malicious actions into\r\nlegitimate activity, as well as legitimate tools and utilities like PuTTy and Kitty SSH\r\nclients, Zoho Assist RMM, and Total Commander.\r\n• The use of Cloudflare Workers for domain fronting.\r\n• The use of standard AWS infrastructure endpoints.\r\nThe following report delves into the execution chain, malware analysis, and broader\r\ninfrastructure and adversarial observations. Most notably, we found several overlaps with the\r\nTactics, Techniques and Procedures (TTPs) of UNC2465, a known ransomware affiliate\r\nhistorically associated with DarkSide, LockBit and Hunters International distribution.\r\nThis report aims at highlighting the evolution of SmokedHam variants, by comparing more than\r\n30 samples retrieved in 2025 and 2026. We also provide IOCs, hunting guidelines, and\r\nrecommendations at the end.\r\nA version of this investigation was presented during Botconf 2026 in Reims.\n\nSmoking Out an Affiliate 4\r\n \r\n2 Infection chain\r\n2.1 Initial compromission\r\nIn early February 2026, our CSIRT team analyzed an infection chain initiated after a user\r\nsearched for “rvtools” on Google via Edge. RVTools is a Windows administration tool used by\r\nVMware administrators to collect information about virtual machine infrastructures. The user\r\nthen clicked on an ad leading to a page likely displaying the title “RVTools – VMware\r\nInfrastructure Management | Dell USA”. From that page, the user clicked a download link\r\nredirecting to a Dropbox URL, resulting in the download of a file of approximately 19 MB.\r\nThis binary consists of a malicious NSIS (Nullsoft Scriptable Install System) installer,\r\ndesigned to first establish persistence and to launch two stages LICENSE.txt and\r\nLICENSE1.txt, dropped alongside a bundled, windowless Python interpreter, named\r\nUsbService86.exe. Both LICENSE.txt and LICENSE1.txt consist of Python byte-compiled\r\n(.pyc) files, normally using the .pyc extension but renamed to conceal the original source code\r\nand increase the files’ apparent entropy.\r\nThese Python stages consist of a XORED hex-encoded blob among junk code. Once fully\r\ndecrypted, a PowerShell script is executed in memory through pythonnet bridging. According\r\nto the project documentation, Python.NET (pythonnet) is a package that gives Python\r\nprogrammers nearly seamless integration with .NET Framework, .NET Core and Mono runtime\r\non Windows, Linux and macOS.\r\nIn order to evade sandbox, the PowerShell contains an execution delay. This fourth stage then\r\nreconstructs a fifth stage, using ConvertTo-SecureString -Key to AES-decrypt an embedded\r\nBase64 blob and compiling it entirely in memory using Add-Type.\r\nThis last stage consists of a .NET RAT written in C# that communicates via HTTP. The payload\r\nhas the following features:\r\n• Console hiding (ShowWindow(GetConsoleWindow(), 0))\r\n• Initial registration with the C2 server\r\n• Periodic beaconing loop to C2\r\n• Reception of encrypted commands\r\n• Arbitrary PowerShell execution via Runspace\r\n• Exfiltration of execution results\r\n• Special commands: delay, exit\r\nWe associate this payload with the SmokedHam family. SmokedHam is also referred to as\r\nParcel RAT, SharpRhino, and WorkersDevBackdoor. A more detailed analysis of the payload\r\nis given in section 3 of the report.\r\n \r\n2.2 Post-compromise activities\r\nOnce installed, SmokedHam was used to execute PowerShell code to retrieve a file from a\r\nremote AWS EC2 server and save it locally. This file consists of an installer package for an\r\nemployee monitoring solution called Controlio. Less than a week later, similar actions were\r\ncarried out on the same machine, this time delivering a binary from another employee\r\nmonitoring solution known as TeraMind. Both the Controlio and TeraMind installers are\r\nconfigured to start automatically during system boot using dedicated services.\r\nEmployee monitoring solutions like TeraMind and Controlio can provide to threat actors\r\nreal-time visibility into a workstation’s activity, like typical working hours and patterns,\r\npotentially allowing them to blend their actions into legitimate activity and reduce the risk\r\nof detection. We believe the adoption of such solutions by threat actors to be a growing and\n\nSmoking Out an Affiliate 5\r\n \r\nconcerning trend. Previous CTI reports already mention the abuse of Grabber, Syteca\r\n(formerly Ekran) or more recently Net Monitor for ransomware delivery. Often commercialized\r\nfor employee productivity monitoring, such solutions offer capabilities that surpass simple\r\nscreen monitoring. As explained by Huntress researchers, these include reverse shell access,\r\nremote desktop control, file management, and the ability to customize service and process\r\nnames during installation.\r\n \r\n \r\n \r\n \r\nIn addition to installing TeraMind and Controlio software, the threat actor was observed\r\ncarrying out data exfiltration towards remote AWS EC2 servers. The attacker notably focused\r\non exfiltrating KeePass password databases.\r\nIn parallel, they also conducted system discovery and system information collection, notably\r\nby leveraging the Advanced IP Scanner tool. Lateral movement was facilitated by the\r\nestablishment of reverse SSH tunnels to the threat actor’s own AWS EC2 instances, designed\r\nto forward traffic received through that tunnel to the RDP port of infected machines. For this,\r\nthe threat actor relied on the command-line SSH Plink client included in the PuTTY suite. In\r\naddition, the attacker moved laterally from the compromised systems directly through RDP.\r\nIt should be noted that the threat actor also used the Zoho Assist remote access software\r\n(RMM), a well-known, legitimate remote support and remote desktop solution, which has been\r\nregularly abused by threat actors.\r\n \r\n2.3 Data exfiltration and Qilin deployment\r\nFinally, almost a month after having obtained initial access, the threat actor was observed\r\ndownloading 7zip as well as the Total Commander tool. This application enables file indexing\r\non a system to facilitate keyword or filename-based searches. It also provides preview\r\ncapabilities and includes built-in archiving features. The threat actor subsequently generated\r\narchives and transferred them to two Amazon S3 buckets.\r\nIn addition, the threat actor targeted multiple Veeam backup servers, likely with the intent\r\nof deleting recovery data and undermining restoration capabilities.\r\nLater that night, the threat actor initiated a ransomware encryption routine targeting multiple\r\nvirtual machine disks of ESXi servers, resulting in the affected virtual machines becoming\r\ninoperable. A ransom note was delivered, claiming responsibility for the attack on behalf of the\r\nQilin ransomware group.\n\nSmoking Out an Affiliate 6\r\n \r\n3 Technical analysis of SmokedHam\r\n3.1 Comparison between SmokedHam and GitHub’s ThunderShell\r\nbuilder\r\nSmokedHam appears to be a modified, lightweight version of the open-source RAT known as\r\nThunderShell. Available on GitHub, this project credits Mr.Un1k0d3rn, Tazz0 and RingZer0\r\nTeam 2017 as its authors.\r\nThis assessment is supported by the following technical overlaps:\r\n• The use of an identical RC4 encryption implementation.\r\n• The same victim ID generation logic.\r\n• A shared implementation bug present in both codebases (in the ID generation).\r\n• An identical JSON communication structure.\r\n• The same PowerShell Runspace execution model.\r\n• A matching C2 polling mechanism.\r\n \r\n3.2 Persistence mechanisms\r\nSmokedHam’s persistence is achieved by writing a registry value named UpdateWINPY\r\nunder HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run, thereby establishing\r\npersistence through the Windows Run key.\r\n \r\nFigure 1: Persistence in Run key, NSIS\r\nAnother persistence mechanism is set up by leveraging the Microsoft Distributed Transaction\r\nCoordinator (msdtc) service. The msdtc service is configured with a startup type set to “On\r\nDemand.”\r\n \r\nFigure 2: Service MSDTC set to start on demand\r\nThe registry value OracleOciLibPath under the key\r\nHKLM\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI is modified to point to\r\nC:\\ProgramData\\SysIco.\n\nSmoking Out an Affiliate 7\r\n \r\n \r\nFigure 3: Change of OracleOciLibPath key path for further exploitation\r\n \r\nThis folder is initially left empty but is later used by the threat actor as an additional\r\npersistence means. During the investigation, we observed a file called oci.dll being dropped\r\ninto this folder and loaded whenever the msdtc service starts.\r\nNotably, persistence mechanisms were not consistently located within the implant itself\r\nacross variants, indicating a gradual relocation of persistence responsibilities toward staging\r\ncomponents.\r\n \r\n3.3 Payload delivery and reconstruction\r\nIn our case, payload decompression was performed through the NSIS installer.\r\nAs mentioned above, the installer reconstructed and executed a compiled Python file through\r\na disguised Python interpreter, typically using a filename such as LICENSE1.txt. The\r\nhexadecimal header CB 0D 0D 0A indicates that the file is a compiled Python bytecode file\r\n(.pyc), renamed to conceal its true nature and to reduce static detection effectiveness.\r\nThe payload also contains numerous obfuscated strings, consistently following a recurring\r\nstructural pattern.\r\nFigure 4: Python interpreter (USBService86.exe) launching LICENSE1.txt (python bytecode)\r\n \r\nThe observed reconstruction mechanism follows a multi-stage decoding and transformation\r\nprocess:\r\n• An embedded hexadecimal string is stored within the code.\r\n• The string is converted into raw bytes using bytes.fromhex(...).\r\n• The resulting byte array is XORed with a fixed constant.\r\n• The byte array is reversed.\r\n• The transformed data is decoded from Base64.\r\n• The decoded content is decompressed using zlib.\r\n• The final output is executed in-memory.\n\nSmoking Out an Affiliate 8\r\n \r\n \r\nIn python, this can be translated as:\r\nblob = bytes.fromhex(hex_string)\r\nblob = bytes([b ^ key for b in blob])\r\nblob = blob[ : :-1]\r\ndecoded = base64.b64decode(blob)\r\npayload = zlib.decompress(decoded)\r\nexec(payload)\r\n \r\nThe output is Python code that may be dropped directly to disk, without relying on a compiled\r\nPython intermediary. The script uses pythonnet (clr) to load .NET assemblies, notably\r\nSystem.Management.Automation.\r\nA PowerShell Runspace is then created programmatically through the .NET API, and an\r\nembedded PowerShell script is executed within the instantiated Runspace, enabling in-memory execution through the Python.NET bridging.\r\nThe embedded PowerShell payload is designed for in-memory decryption, compilation,\r\nand execution of the final C# SmokedHam implant. It contains a byte-array key and an\r\nencrypted string. The string is decrypted using ConvertTo-SecureString with the provided key,\r\nconverted from SecureString to plaintext, and then compiled dynamically via Add-Type.\r\nThe C2 server address is recovered from a reconstructed string within the script. The\r\nsame code also embeds the token used by the SmokedHam implant as its RC4 encryption key\r\n(hereafter referred to as the RC4 token), which is later used to secure communications with\r\nthe C2 server.\r\n \r\n \r\nFigure 5: Pythonnet code executed in memory after bytecode\r\n3.4 C2 communications\r\nSmokedHam’s C2 communication relies on the POST method and specifies the Content-Type\r\nheader as application/json. It is sent to the URL https://\u003cworkers-domain\u003e/\u003crandom\u003e/, where\r\nthe \u003crandom\u003e path consists of an alphanumeric string between 1 and 15 characters in length.\r\nThe User-Agent header contains the operating system version, derived from\r\nEnvironment.OSVersion. The Host header is explicitly overridden instead of relying on the\r\ndefault value. Finally, TLS certificate validation is disabled for the connection.\n\nSmoking Out an Affiliate 9\r\n \r\nIt uses the following JSON format for communication structure:\r\n{ « UUID » : « \u003cstring|null\u003e », « ID » : « », « Data » :« » },\r\n• The ID corresponds to an alphanumeric victim identifier consisting of 16 characters,\r\ngenerated at startup.\r\n• The data is consistently constructed using the following process: the plaintext is first\r\nconverted to its ASCII representation, then encrypted using RC4 with the specified key,\r\nand finally encoded in Base64.\r\nThe plaintext sent during the registration phase follows this structure: register \u003cID\u003e\r\n\u003cCOMPUTERNAME\u003e\u003cUSERDOMAIN\u003e\\\u003cUSERNAME\u003e\r\nThe malware performs regular polling requests to the server. During these polling\r\ncommunications, the UUID field is set to null, and the Data field is sent as an empty string (\"\").\r\nWhen the C2 server provides commands, it responds with a message in which the UUID field\r\nis no longer null and the Data field contains encrypted content (RC4 encryption followed by\r\nBase64 encoding). On the malware side, the received data is first decoded from Base64 and\r\nthen decrypted using the RC4 token. The resulting plaintext is parsed by splitting on the first\r\nspace character to extract the command name. The binary supports handling the following\r\ncommands:\r\n• delay: modifies the polling interval.\r\n• exit: terminates execution.\r\n• userinput: executes arbitrary PowerShell commands on the host.\r\nAfter executing the userinput command, the payload prepares a response to the server. The\r\nUUID field in the response matches the UUID received in the corresponding server command.\r\nThe Data field contains the output of the executed PowerShell command, which is first\r\nencrypted using RC4 and then encoded in Base64 before being transmitted.\r\n \r\n3.5 Malware evolution\r\nBy pivoting on the sample, we retrieved similar malicious installers leading to\r\nSmokedHam. Most of the analyzed samples consisted of NSIS installers, even if a few were\r\nMSI files embedding NSIS installers in the end.\r\nThis panel of samples revealed some slight variations, both concerning the installers’\r\npersistence or execution method, or the SmokedHam final stage itself. These variations are\r\nall overlapping, meaning there is no clear distribution cluster over time.\r\nAdditionally, all samples contain overlapping RC4 tokens which are discriminatory and\r\nunique to the overall campaign, listed here:\r\n• PwVRaQFfQQqxbjmFulvUMoAY\r\n• sgHDLwbfskesAXRtOPSWUhYp\r\n• oTrbUysMzlWZDzmRNhdTKFqf\r\n• kgZgwUMuMaoonJhCKrdLzujD\r\n• eqJdCarScrgpihljkwbRQhdb\r\nThese RC4 keys are reused and can be considered as tokens for the C2 servers used by the\r\nthreat actor.\n\nSmoking Out an Affiliate 10\r\n \r\nFigure 6: RC4 tokens evolution over time\r\n \r\nThis continuity strongly suggests a single operator or a developer iterating on tooling rather\r\nthan multiple unrelated actors reusing public code.\n\nSmoking Out an Affiliate 11\r\n \r\nOur sample comparison is summarized in the diagram below.\r\nFigure 7: SmokedHam delivery scheme\r\n \r\nThe core SmokedHam implant remained largely stable across observed samples. In\r\ncontrast, delivery mechanisms, staging complexity and persistence placement evolved\r\nsignificantly, suggesting an operator focus on stealth and deployment reliability rather\r\nthan implant capability expansion.\n\nSmoking Out an Affiliate 12\r\n \r\n \r\n \r\n3.5.1 Persistence variations and anti-sandbox features\r\nWhile most installer variants we retrieved rely on a Run key in NSIS/Install script to establish\r\npersistence, some more recent samples do it through the LICENSE1.txt extracted python\r\ncode. Additionally, the C2 is not called first in the PowerShell script as in the older samples,\r\nbut directly in the C# in-memory procedures.\r\nOther installer samples, found between late November and December 2025, embedded\r\nfeatures relying on the victim’s OS Install date. The malware stops its execution flow if:\r\n• The system has not been installed exactly two days before check.\r\n• The uptime is not exactly 10 or 3 minutes (depending on the sample).\r\nThese checks may reflect either sandbox evasion attempts or development artifacts resulting\r\nfrom testing environments.\r\nFinally, latest samples rely on Startup folder and ScheduledTask in order to last on the\r\ninfected systems.\r\n3.5.2 Installer execution chain variations\r\n3.5.2.1 GPG decryption variants\r\nWe observed some SmokedHam installer variants, often distributed around late October and\r\nlate November 2025, leveraging GPG to decrypt several embedded components, such as\r\n7za.dll, 7z.exe, Cert.txt, an MSI installer, and an UpdateFull archive.\r\nThese embedded components are only dropped and unpacked if the value of\r\n\"CurrentMajorVersionNumber\" in the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\"\r\nkey is not empty (the label_121 corresponding to the file cleanup procedure).\r\nThe UpdateFull archive is then decompressed with a password. The rest of the execution chain\r\nunfolds similarly to the classic procedure detailed above.\n\nSmoking Out an Affiliate 13\r\n \r\nFigure 8: GPG delivery variant\r\n \r\n3.5.2.2 WINWORD installer variants\r\nWe also identified several installer variants, distributed in early December 2025, leveraging\r\nthe legitimate executable WINWORD.exe\r\n(59dbc225207fb303c9eccc7b962c82ae212f5d302703d3154178b8afceeccd3c).\r\nIn this case, WINWORD.exe loads a malicious DLL (appvisvsubsystems64.dll), which then\r\nexecutes SmokedHam as a .NET PE (UsbService64.exe). This execution chain installs\r\nSmokedHam through the Run key UpdateWINWORD.\n\nSmoking Out an Affiliate 14\r\n \r\n3.5.3 SmokedHam features variations\r\nDuring our analysis, we identified three slightly different SmokedHam binaries.\r\n• A lightweight one, such as the one retrieved in our case, most commonly used by the\r\nthreat actor.\r\n• A more complete one, distributed through WINWORD installer variants in December\r\n2025.\r\n• A testing binary, observed in January 2026.\r\nIt is important to note the coexistence of all three variants over time, further supporting the\r\nhypothesis of controlled experimentation rather than a linear implant evolution.\r\nThe more complete SmokedHam notably includes more C2 commands:\r\n• « register », « delay », and « exit » commands are preserved.\r\n• « userinput » is replaced by a « byop » command (very likely for Bring Your Own\r\nPowerShell), the second parameter being a Base64 encoded PowerShell command\r\n• A « module » command can be triggered with parameters:\r\no cache: to save an arbitrary Assembly from a Base64 string or a URL passed as\r\na third parameter in %ProgramData %\\UpdateService\\\u003cmodule_name\u003e.dat\r\no run: to run a cached module (parameter 3 = « cache »), or a local file (parameter\r\n3 = « file ») by using its name (parameter 4) along with arguments (subsequent\r\nparameters if needed), or directly Assembly sent in Base64 (parameter 3 = «\r\nbase64 » followed by a Base64 encoded blob)\r\no list: self-explanatory\r\nIn this version, the random ID generation function’s bug is fixed.\r\n \r\nFirst observed in early January 2026, the “testing” SmokedHam is called as such due to the\r\ninstaller’s name pyth-999-test.exe. This variant was delivered using a NSIS script that calls\r\nan interpreter on a script with an unusual name UsbService64Update.txt.\r\nThe latter contains a code calling Python again with LICENSE1.txt, which is bytecode\r\npython. Yet, instead of the usual expected obfuscated code, it contains two payloads: a small\r\nanti-VM procedure as well as the SmokedHam binary (called agent_999.exe).\r\nRather than embedding extensive functionality directly within the implant, this SmokedHam\r\nvariant stands out as it introduces a persistent runtime extension model that allows\r\noperators to dynamically deliver and execute additional logic in memory while maintaining a\r\nminimal core footprint.\r\n \r\nThe following table sums up the difference between the SmokedHam implants:\r\nCapability\r\nLightweight\r\nSmokedHam\r\nUsbService64\r\nSmokedHam\r\nAgent2\r\nTesting SmokedHam\r\nOverall role\r\n \r\nInitial foothold\r\nbackdoor\r\nFull post-exploitation implant Bootstrap execution host\r\nExecution\r\nphilosophy\r\nDirect command\r\nexecution\r\nImplant-as-a-platform Runtime extension host\r\nModule\r\nhandling\r\nNone\r\n \r\nStructured module framework\r\nwith disk caching\r\nDynamic in-memory assemblies\r\nwith persistent instance\r\nPowerShell\r\nusage\r\nNative runspace\r\nexecution\r\nBYOP PowerShell support\r\n \r\nDelivered via extensions or loader\r\nstages\r\nLoader\r\ndependency\r\nLow\r\n \r\nModerate\r\n \r\nHigh (multi-stage staging pipeline)\n\nSmoking Out an Affiliate 15\r\n \r\nTable 1: Differences between three SmokedHam variants\r\n \r\n3.5.4 Cacciatore: an alternate python backdoor\r\nIn a separate incident from late March 2026, our CERT observed a similar NSIS installer\r\ndelivering a Python backdoor instead of the SmokedHam implant. We track this payload as\r\nCacciatore.\r\nIn this case, the interpreter, named pythonw.exe, was invoked exclusively to execute the\r\nLICENSE.txt bytecode file. The reconstructed payload masquerades as an infostealer and\r\nperforms checks against common sandbox environments and machine naming patterns. It\r\nthen inspects files within the %UserProfile%\\Downloads directory and verifies the presence of\r\nthe Alternate Data Stream Zone.Identifier to determine whether the system has previously\r\ndownloaded files from the Internet. If no such evidence is found, the process terminates.\r\nThe Cacciatore backdoor then:\r\n• Checks for (and create) a configuration file.\r\n• Creates persistence with Startup shortcut if it has no admin rights, then through a\r\nscheduled task.\r\n• Retrieves system\r\n• Sends the collected information back to a C2 with a register first call XORing data with\r\nthe key \"helo1\".\r\n• Waits for the following commands:\r\no shellexecute (arbitrary powershell execution),\r\no x32 or x64 (shellcode injection in dpapimig.exe (suspended, allocates memory,\r\nwrites shellcode, changes protection RX, queues APC, resumes thread)),\r\no download (to download and execute additional files).\r\nInterestingly enough, the Cacciatore backdoor also has a C2 fallback mechanism using a\r\nsmart contract from an old Polygon URL (polygon-rpc[.]com). The URL intermittently\r\nreturns HTTP 401 errors. By querying the updated Polygon RPC endpoint\r\n(hxxps://polygon.drpc.org), with contract 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba\r\nand a specific calldata, it is possible to extract a XOR encoded domain name, typically hosted\r\non a Cloudflare IP address.\r\nDisk footprint\r\n \r\nMinimal\r\n \r\nNoticeable (module cache)\r\n \r\nMinimal (memory-centric, marker-based gating)\r\nAnti-analysis\r\nplacement\r\nLimited\r\n \r\nImplant-side checks\r\n \r\nDistributed across loader chain\r\nDelivery\r\nmodel\r\nInline / simple loaders\r\n \r\nDirect deployment or\r\nlightweight staging\r\nNSIS dropper → Python stage →\r\nAES payload\r\nOperational\r\nintent\r\nRapid command\r\nexecution\r\nLong-term capability\r\ndeployment\r\nStealthy staged access and\r\nflexible extension\r\nArchitectural\r\norientation\r\nImplant-centric\r\n \r\nImplant-centric platform\r\n \r\nLoader-centric integration\n\nSmoking Out an Affiliate 16\r\n \r\n \r\nFigure 9: Extraction of the second C2 from Polygon\r\nAffiliation between SmokedHam and Cacciatore can be reasonably inferred from the\r\ndelivery chain, which - up to the final payload - consistently relies on the same tooling\r\nobserved in related samples. The communication pattern further reinforces this link, exhibiting\r\nshared characteristics:\r\n• JSON-based tasking\r\n• Periodic polling for instructions\r\n• Lightweight obfuscation techniques\r\n• A thin, modular agent execution model\r\n \r\n3.6 Code-signing certificates\r\nMost of the SmokedHam samples we retrieved are signed using a legitimate but revoked\r\nExtended Validation (EV) certificate. Most of these certificates were issued by the Certificate\r\nAuthorities Certum/Asseco EV, GlobalSign and Sectigo, to small to mid-sized entities,\r\npredominantly Chinese, such as:\r\n• Competent Safety Services Private Limited\r\n• Chengdu Jiameini Technology Co., Ltd.\r\n• Fortune Print Centre Limited\r\n• Jieyang Yusheng Network Technology Co., Ltd.\r\n• Shanghai GAIN STARS Trading Company Limited\r\n• Sinyoo Technology (Wuxi) Co., Ltd.\r\n• Taiyuan Tataomi Technology Co., Ltd.\r\n• Wegun (Thailand) Co., Ltd.\r\n• WILD LLC\r\n• Wenzhou Xihao Jiafang Co., Ltd.\r\n• Wuhan Shuoxi Technology Co., Ltd.\r\n• Xiamen Fangjin Network Technology Co., Ltd.\r\n• Xiamen Shuangbaishi Information Technology Co., Ltd.\n\nSmoking Out an Affiliate 17\r\n \r\nCode-signing certificates are special digital certificates that show a high level of trust in an\r\napplication or website. Threat actors can acquire them by impersonating a legitimate\r\nbusiness and going through a certificate validation process. Certificates can also be purchased\r\nby threat actors on underground forums, for $2,000 to $6,000 (but prices can go way higher).\r\nCertificates used for signing malicious modules can be revoked, invalidating it before it expires,\r\nas it is the case for all of the certificates we retrieved. Initiatives like certReport and\r\nCertGraveyard make it much easier to report code-signing certificate abuses and impose\r\nsignificant costs on threat actors.\n\nSmoking Out an Affiliate 18\r\n \r\n4 Infrastructure analysis\r\n4.1 SmokedHam delivery infrastructure\r\nThe malware delivery domains used in two of our cases were rvtoolspro[.]info, rvtoolit[.]com\r\nand rvtooli[.]info, which all spoof Dell’s legitimate RVTools download page.\r\n \r\nFigure 10: Malicious website spoofing Dell’s legitimate RVTools download page.\r\n \r\nClicking on the “Download RVTools” launches a redirection, first to a subdomain of Azure\r\nFront Door (azurefd.net) or Azure Edge (azureedge.net), then to a DropBox URL.\r\nWe suspect that the threat actor performs several checks to triage between visitors,\r\ndisplaying malicious content only to select users, based on their country and/or user-agent. It\r\nalso likely checks the incoming URL to verify if users arrive from boosted search results by\r\nlooking for the gbraid= or gad_source= URL perimeters. These checks might not be\r\nsystematic.\r\nBy pivoting on UNC2465’s infrastructure, we identified recently registered domains spoofing\r\nother known software, like:\r\n• HornetSecurity,\r\n• Angry IP Scanner,\r\n• Elastic,\r\n• Kibana,\r\n• Devart,\r\n• dbForge,\r\n• FelSoft,\r\n• Royal Apps,\r\n• iSpy,\r\n• EMCO Software,\r\n• CleanMyMac,\r\n• Thumos.\r\nOther CTI researchers have also recently shared similar domain registration patterns.\r\nWe observed some of these sites displaying seemingly inoffensive content, more or less\r\nrelated to their respective “domain name” topic, including IT tool trainings (including RVTools\r\nAcademy). It is possible that some of these domains also act as intermediate redirection\r\ndomains.\r\nMost of these of these domains are hosted by Cloudflare, with DYNADOT as their registrar.\n\nSmoking Out an Affiliate 19\r\n \r\n \r\n4.2 SmokedHam C2 infrastructure\r\nSmokedHam’s Command and Control (C2) infrastructure is systematically hidden behind\r\nCloudflare workers, specifically under the workers.dev shared hosting domain. Attackers\r\nfrequently leverage this platform because it provides free TLS certificates, global CDN\r\ndistribution, and trusted IP reputation, making malicious traffic blend with legitimate cloud\r\nactivity.\r\nThe threat actor often uses subdomain naming conventions (e.g., api-gateway, data-pipeline,\r\nlog-ingest, vault-proxy, scan-engine, ingress-ctrl) designed to mimic legitimate DevOps,\r\nbackend, or microservices components.\r\nThe threat actor also extensively relied on AWS infrastructure endpoints for post-compromise activity, including lateral movement and data exfiltration. As mentioned above,\r\nthey notably used AWS Elastic Compute Cloud (EC2) public instance hostnames and AWS\r\nS3 bucket endpoints.\n\nSmoking Out an Affiliate 20\r\n \r\n5 Attribution\r\nThe delivery of a Qilin Rust ransomware binary, as well as the contact details provided in the\r\nransom note indicate the threat actor behind this intrusion is part of the Qilin Ransomware-as-a-Service.\r\nAs a reminder, Qilin (formerly known as Agenda) is a double-extortion operation active since\r\nmid-2022, demanding payment for providing decryption keys and for refraining from publishing\r\nthe stolen data to their leak site. Qilin is operated by a threat group tracked as REVENANT\r\nSPIDER (aka Water Galura, Spikey Scorpius, Pestilent Mantis, Gold Feather). REVENANT\r\nSPIDER's spokesperson, Haise (aka Lucifer44) was particularly active on the now-defunct\r\nRussian-language underground forum RAMP.\r\nThe ransomware operates an affiliate program, allegedly rewarding affiliates with 80% of\r\nransom payments of $3 million or less and 85% for payments above $3 million. We believe\r\nQilin attracted several key affiliates throughout 2025, following RansomHub and LockBit’s\r\ndeclines. Publicly known Qilin affiliates involve Ruthless Mantis, STAC4365, or even Octo\r\nTempest.\r\nQilin currently ranks as the world’s most prolific ransomware operation based on the number\r\nof claimed victims on data leak sites, with more than 1,330 victims listed since January 2025.\r\n \r\nFigure 11: Qilin RaaS’ leak site on TOR\r\n \r\nOur analysis also closely resembles what researchers from Synacktiv observed back in March\r\n2025, in a ransomware case delivering Hunters International. Indeed, their report also\r\nmentions:\r\n• SmokedHam, also masquerading as RVTools.\r\n• Reverse SSH tunnels to attacker-controlled AWS EC2 server.\r\n• A similar employee monitoring tool called Grabber.\r\n• A popular RMM (SplashTop).\r\n• Use of Kitty and WinSCP.\r\n• Total Commander and 7zip for data exfiltration.\r\n• Manual deployment of an ESXi ransomware (in this case, Hunters International).\n\nSmoking Out an Affiliate 21\r\n \r\nWith a moderate confidence level, we associate the activity cluster responsible for our\r\nSmokedHam and Qilin infection with UNC2465.\r\nAlso known as Storm-0241, UNC2465 is a Russian-speaking financially motivated threat\r\ngroup that has been active since at least mid-2019. This cluster has been first mentioned by\r\nMandiant in May 2021, then more extensively documented in June 2021 and 2022. Over the\r\nlast years, UNC2465 has used malvertising for malware distribution, and has remained\r\ninterested in monetizing access via ransomware.\r\nIt is highly likely UNC2465 outsources some of its malware distribution to traffers recruited\r\nthrough online forums, particularly the generation of Google and Bing ads, in exchange for\r\na fixed payment (PPI) or a percentage of profit.\r\nWhile UNC2465 was historically affiliated to the DarkSide Ransomware-as-a-Service (RaaS),\r\nwe suspect it might also have been associated with the following RaaS: LockBit, and Hunters\r\nInternational. The deployment of a Qilin encryptor in this case implies that UNC2465 possibly\r\nbecame a Qilin affiliate at some point in 2025.\r\nIn previous attacks, UNC2465 often relied on malicious installers, masquerading as\r\nlegitimate software (usually IT administration tools), leading to SMOKEDHAM. Public\r\nreportings notably often mention:\r\n• Advanced IP Scanner\r\n• RVTools\r\n• Wireshark\r\n• DBeaver\r\n• KeyStore Explorer\r\n \r\nOur attribution to UNC2465 is based on the following evidence:\r\n• Delivery of SmokedHam through malicious installers. Even though the backdoor is\r\nbased on an open-source RAT, this variant has long been distinctive of UNC2465’s\r\nmodus operandi.\r\n• Leveraging of code-signing certificates delivered to mid-sized Asian businesses.\r\n• Continued infrastructure patterns:\r\no Typosquatted delivery domains spoofing RVTools, often boosted by\r\nmalvertising and Google ads (1; 2).\r\no Azure CDN and DropBox payload hosting.\r\no Domain fronting to obfuscate its true C2 servers, including through Cloudflare\r\nworkers.\n\nSmoking Out an Affiliate 22\r\n \r\n6 Conclusion\r\nThrough these investigations, we documented the full intrusion chain of the Qilin ransomware\r\naffiliate UNC2465 leveraging the SmokedHam backdoor, from initial access via malvertising to\r\nfinal ransomware deployment.\r\nFrom a threat intelligence perspective, the observed overlaps with UNC2465 reinforce the\r\nhypothesis of a multi-affiliated actor now operating within the Qilin RaaS.\r\nBased on the rhythm of variants development and infrastructure registration, we consider\r\nUNC2465 to be actively increasing its operational tempo, especially against European\r\nentities.\r\nBeyond the individual techniques, this case highlights a broader operational pattern\r\nincreasingly observed in recent ransomware ecosystems.\r\n• The growing abuse of legitimate enterprise tools - including remote monitoring and\r\nmanagement (RMM) solutions but also employee monitoring software (or\r\nbossware). This trend significantly complicates detection efforts, as attacker behavior\r\nincreasingly overlaps with legitimate system administration practices.\r\n• Continued reliance on widely trusted cloud providers such as Cloudflare and AWS.\r\nBy leveraging domain fronting, CDN-backed services, and ephemeral cloud resources,\r\nthreat actors are able to mask malicious communications within legitimate traffic,\r\nraising the bar for network-based detection.\r\n• Continued improvement of delivery techniques favoring operational reliability\r\nover feature expansion. Variations in loaders, staging mechanisms, and persistence\r\nplacement suggest a deliberate effort to improve stealth, resilience, and evasion\r\nwithout disrupting a well-established C2 architecture.\n\nSmoking Out an Affiliate 23\r\n \r\n7 Hunting recommendations\r\nIoCs are available here:\r\nhttps://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs\r\n \r\nFor proactive hunting, you can:\r\n• Look for bossware-related network artefacts such as:\r\no app-controlio.s3.amazonaws.com\r\no backend.controlio.net\r\no ls.controlio.net\r\n• Look for unusual User-Agent strings containing raw OS version information\r\n(Environment.OSVersion) in proxy logs.\r\n• Look for Python processes launching Powershell.\r\n• Look for known SmokedHam certificates, such as the one mentioned earlier.\r\nOrange Cyberdefense’s Datalake platform provides access to Indicators of Compromise\r\n(IoCs) related to this threat, which are automatically fed into our Managed Threat Detection\r\nservices. This enables proactive hunting for IoCs if you subscribe to our Managed Threat\r\nDetection service that includes Threat Hunting.\r\nOrange Cyberdefense’s Managed Threat Intelligence service offers the ability to\r\nautomatically feed network-related IoCs into your security solutions. To learn more about this\r\nservice and to find out which firewall, proxy, and other vendor solutions are supported, please\r\nget in touch with your Orange Cyberdefense Trusted Solutions representative.\r\nThe Orange Cyberdefense Computer Security Incident Response team (CSIRT) provides\r\nemergency consulting, incident management, and technical advice to help customers handle\r\na security incident from initial detection to closure and full recovery. If you suspect being\r\nattacked, do not hesitate to call our Hotline.\n\nSmoking Out an Affiliate 24\r\n \r\n8 Sources\r\nhttps://cert.orange.pl/wp-content/uploads/2024/10/CERTOPL_CTI_Hunters_International.pdf\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/?hl=en\r\nhttps://fieldeffect.com/blog/thunderstruck-malicious-ads-rvtools-thundershell-payload\r\nhttps://medium.com/trac-labs/who-ordered-the-smokedham-backdoor-delicacies-in-the-wild-87f51e2e5bd2\r\nhttps://oxygen28.github.io/posts/smokedham/\r\nhttps://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising\r\nhttps://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/\r\nhttps://www.security.com/threat-intelligence/fog-ransomware-attack\r\nhttps://www.synacktiv.com/en/publications/case-study-how-hunters-international-and-friends-target-your-hypervisors\r\nhttps://www.threatdown.com/blog/workersdevbackdoor-and-madmxshell-converge-in-malvertising-campaigns/\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf"
	],
	"report_names": [
		"smoking_out_an_affiliate.pdf"
	],
	"threat_actors": [],
	"ts_created_at": 1778032950,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 1776074963,
	"ts_modification_date": 1776074963,
	"files": {
		"pdf": "https://archive.orkl.eu/151dc0a02c21288bbb1bc0ed38dba74591f65c4b.pdf",
		"text": "https://archive.orkl.eu/151dc0a02c21288bbb1bc0ed38dba74591f65c4b.txt",
		"img": "https://archive.orkl.eu/151dc0a02c21288bbb1bc0ed38dba74591f65c4b.jpg"
	}
}