Summary
Orange Cyberdefense reported that, in early 2026, a ransomware affiliate distributed the SmokedHam backdoor through malicious ads masquerading as legitimate utility software. In at least one confirmed intrusion, the backdoor was later used to deliver Qilin ransomware. Researchers attributed the activity with moderate confidence to the Russian-speaking affiliate UNC2465, a threat actor previously associated with DarkSide, LockBit, and Hunters International operations.
Investigation
The investigation reviewed more than 30 SmokedHam samples collected during 2025 and 2026, identifying malvertising domains that relied on Cloudflare Workers for domain fronting alongside AWS-hosted infrastructure. Analysts also documented the abuse of legitimate tools such as PuTTY and Total Commander to help malicious activity blend into normal administrative operations. The report further highlighted tactical overlaps with activity previously linked to UNC2465.
Mitigation
Defenders should block the known malvertising domains, enforce application allow-listing for tools such as RVTools and Remote Desktop Manager, and monitor for unusual use of legitimate administrative utilities. Endpoint detection coverage should also be strengthened to identify SmokedHam backdoor behavior and related post-compromise activity. The use of cloud-based threat intelligence feeds can further improve detection and enrichment efforts.
Response
If suspicious activity is identified, isolate the affected host immediately, collect forensic artifacts, and search for indicators associated with both SmokedHam and Qilin. Investigators should also determine whether credential theft or ransomware encryption has already occurred. Broader threat hunting across related infrastructure is recommended, along with activation of established ransomware incident response procedures.
Click Here For The Original Source.
