Malware News Smoking Out an Affiliate: SmokedHam, Qilin, a few Google ads and some bossware

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
738
4,615
1,369
Content source
https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf

Introduction

Between early February and early April 2026, Orange Cyberdefense CERT was involved in separate malvertising incidents affecting three European clients. All three infection chains observed by our analysts revealed the use of the SmokedHam backdoor, delivered through malvertising and masquerading as common utility installers for RVTools or Remote Desktop Manager (RDM).

In one particular incident, the SmokedHam infection led to the deployment of Qilin ransomware. This case also featured:

  • The use of two employee monitoring solutions to further blend malicious actions into legitimate activity, as well as legitimate tools and utilities like PuTTY and Kitty SSH clients, Zoho Assist RMM, and Total Commander.
  • The use of Cloudflare Workers for domain fronting.
  • The use of standard AWS infrastructure endpoints.
The following report delves into the execution chain, malware analysis, and broader infrastructure and adversarial observations. Most notably, we found several overlaps with the Tactics, Techniques and Procedures (TTPs) of UNC2465, a known ransomware affiliate historically associated with DarkSide, LockBit and Hunters International distribution.

This report aims at highlighting the evolution of SmokedHam variants, by comparing more than 30 samples retrieved in 2025 and 2026. We also provide IOCs, hunting guidelines, and recommendations at the end.

A version of this investigation was presented during Botconf 2026 in Reims.
Click to expand...


github.com

cti/smokedham/iocs at main · cert-orangecyberdefense/cti

IOCs for World Watch investigations. Contribute to cert-orangecyberdefense/cti development by creating an account on GitHub.
github.com github.com
Click to expand...
 
  • Like
Reactions: rashmi, Zero Knowledge, simmerskool and 2 others
This is scary to see. It looks like they are mostly targeting businesses with those specific tools, but the fact that they're using Google Ads is what worries me as a regular user. Anyone could be looking for a simple utility, click the first sponsored result by mistake, and end up infected. Definitely a good reminder to stay away from search ads and stick to official sites. 🔍🛡️
 
  • Like
Reactions: Wrecker4923, simmerskool, lokamoka820 and 1 other person
1776317621385.png
Click to expand...
 
  • Like
  • HaHa
Reactions: Halp2001 and simmerskool
The user then clicked on an ad leading to a page likely displaying the title “RVTools – VMware Infrastructure Management | Dell USA”. From that page, the user clicked a download link redirecting to a Dropbox URL, resulting in the download of a file of approximately 19 MB.
Click to expand...
A sample from the published IOCs:
Here are some lessons I’m trying to remember from this incident:
  • Ad! An ad blocker is a very good free gift for friends and family.
  • Downloading from a suspicious redirected link (in this case Dropbox, in HWMonitor case r2[.]dev) is unlikely to be good for mental health.
  • Executables with inconsistent file information and signers (certificate since revoked) are almost certainly up to no good.
  • An unexpected signer (in this case Wuhan Shuoxi Technology) probably isn’t your friend.
  • A reputation-based check would have worked well here because the tool is very established.
 
  • Like
  • Hundred Points
Reactions: simmerskool, Halp2001, Khushal and 1 other person

You may also like...