{
	"id": "42e179db-8253-4731-a2f2-9f73432727c7",
	"created_at": "2026-05-06T02:03:40.723135Z",
	"updated_at": "2026-05-06T02:03:52.64339Z",
	"deleted_at": null,
	"sha1_hash": "a17d51bf6fa5b7caf66bc9e954d1fd10d5b32aaa",
	"title": "SmokedHam and Qilin Threats | Orange Cyberdefense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 915992,
	"plain_text": "SmokedHam and Qilin Threats | Orange Cyberdefense\r\nPublished: 2026-04-15 · Archived: 2026-05-06 02:00:38 UTC\r\nSmoking out an affiliate: SmokedHam, Qilin, a few Google ads and some bossware\r\nTL;DR\r\nIn early 2026, Orange Cyberdefense responded to several incidents delivering the SmokedHam\r\nbackdoor; \r\nIn at least one case, the infection chain resulted in the deployment of the Qilin ransomware; \r\nWe attribute with moderate confidence these activities to the Russian-speaking ransomware affiliate\r\nUNC2465, historically associated with DarkSide, LockBit and Hunters International distribution; \r\nBy pivoting on the infrastructure, we identified multiple malicious malvertising domains responsible for\r\ndelivering SmokedHam typically masqueraded as legitimate utilities like RVTools; \r\nWe identified a relatively high number of SmokedHam variants, with different delivery and persistence\r\ntechniques, indicating a prolific threat actor iterating on tooling; \r\nWe believe this threat actor to be increasingly targeting European organizations since early 2026.\r\nIntroduction\r\nBetween early February and early April 2026, Orange Cyberdefense CERT was involved in separate\r\nmalvertising incidents affecting three European clients. All three infection chains observed by our analysts\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bossware\r\nPage 1 of 2\n\nrevealed the use of the SmokedHam backdoor, delivered through malvertising and masquerading as common\r\nutility installers for RVTools or Remote Desktop Manager (RDM). \r\nIn one particular incident, the SmokedHam infection led to the deployment of Qilin ransomware. This case also\r\nfeatured:\r\nThe use of two employee monitoring solutions to further blend malicious actions into legitimate activity,\r\nas well as legitimate tools and utilities like PuTTy and Kitty SSH clients, Zoho Assist RMM, and Total\r\nCommander; \r\nThe use of Cloudflare Workers for domain fronting; \r\nThe use of standard AWS infrastructure endpoints.\r\nThe following report delves into the execution chain, malware analysis, and broader infrastructure and adversarial\r\nobservations. Most notably, we found several overlaps with the Tactics, Techniques and Procedures (TTPs) of\r\nUNC2465, a known ransomware affiliate historically associated with DarkSide, LockBit and Hunters\r\nInternational distribution.\r\nThis report aims at highlighting the evolution of SmokedHam variants, by comparing more than 30 samples\r\nretrieved in 2025 and 2026. We also provide IOCs, hunting guidelines, and recommendations at the end.\r\nA version of this investigation was presented during Botconf 2026 in Reims.\r\nAnalysis cut-off date: April 8th, 2026\r\nIndicators of Compromise (IOCs)\r\nIoCs are available here: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs \r\nOrange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this\r\nthreat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for\r\nIoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting.\r\nOrange Cyberdefense’s ThreatMap service offers the ability to automatically feed network-related IoCs into your\r\nsecurity solutions. To learn more about this service and to find out which firewall, proxy, and other vendor\r\nsolutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.\r\nThe Orange Cyberdefense Computer Security Incident Response team (CSIRT) provides emergency\r\nconsulting, incident management, and technical advice to help customers handle a security incident from initial\r\ndetection to closure and full recovery. If you suspect being attacked, do not hesitate to call our Hotline.\r\nSource: https://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-b\r\nossware\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bossware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bossware"
	],
	"report_names": [
		"smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bossware"
	],
	"threat_actors": [],
	"ts_created_at": 1778033020,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a17d51bf6fa5b7caf66bc9e954d1fd10d5b32aaa.pdf",
		"text": "https://archive.orkl.eu/a17d51bf6fa5b7caf66bc9e954d1fd10d5b32aaa.txt",
		"img": "https://archive.orkl.eu/a17d51bf6fa5b7caf66bc9e954d1fd10d5b32aaa.jpg"
	}
}