SOC Prime Bias: High

17 Apr 2026 17:27
newspaper icon Orange Cyberdefense

Smoking out an affiliate: SmokedHam, Qilin, a few Google ads and some bossware

Author Photo
SOC Prime Team linkedin icon Follow
Smoking out an affiliate: SmokedHam, Qilin, a few Google ads and some bossware
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Orange Cyberdefense reported that, in early 2026, a ransomware affiliate distributed the SmokedHam backdoor through malicious ads masquerading as legitimate utility software. In at least one confirmed intrusion, the backdoor was later used to deliver Qilin ransomware. Researchers attributed the activity with moderate confidence to the Russian-speaking affiliate UNC2465, a threat actor previously associated with DarkSide, LockBit, and Hunters International operations.

Investigation

The investigation reviewed more than 30 SmokedHam samples collected during 2025 and 2026, identifying malvertising domains that relied on Cloudflare Workers for domain fronting alongside AWS-hosted infrastructure. Analysts also documented the abuse of legitimate tools such as PuTTY and Total Commander to help malicious activity blend into normal administrative operations. The report further highlighted tactical overlaps with activity previously linked to UNC2465.

Mitigation

Defenders should block the known malvertising domains, enforce application allow-listing for tools such as RVTools and Remote Desktop Manager, and monitor for unusual use of legitimate administrative utilities. Endpoint detection coverage should also be strengthened to identify SmokedHam backdoor behavior and related post-compromise activity. The use of cloud-based threat intelligence feeds can further improve detection and enrichment efforts.

Response

If suspicious activity is identified, isolate the affected host immediately, collect forensic artifacts, and search for indicators associated with both SmokedHam and Qilin. Investigators should also determine whether credential theft or ransomware encryption has already occurred. Broader threat hunting across related infrastructure is recommended, along with activation of established ransomware incident response procedures.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef malware fill:#ff6666 classDef tool fill:#cccccc classDef service fill:#ffd966 classDef impact fill:#ff9999 %% Nodes action_initial["<b>Action</b> – <b>T1659 Content Injection (Malvertising)</b><br/>Malicious installer disguised as RVTools/Remote Desktop Manager"] class action_initial action action_user_exec["<b>Action</b> – <b>T1204 User Execution</b><br/>Victim runs the disguised installer"] class action_user_exec action malware_smokedham["<b>Malware</b> – <b>T1127 Trusted Developer Utilities Proxy Execution</b><br/>Backdoor SmokedHam installed"] class malware_smokedham malware action_embedded_payload["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>SmokedHam payload obfuscated within legitimate utility"] class action_embedded_payload action action_polymorphic["<b>Action</b> – <b>T1027.014 Polymorphic Code</b><br/>Variant uses packing and code mutation"] class action_polymorphic action action_rat["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>SmokedHam establishes C2 using legitimate tools"] class action_rat action tool_putty["<b>Tool</b> – <b>PuTTY</b><br/>SSH client used for C2"] class tool_putty tool tool_kitty["<b>Tool</b> – <b>KiTTY</b><br/>SSH client variant"] class tool_kitty tool tool_zoho["<b>Tool</b> – <b>Zoho Assist</b><br/>Remote support tool used for C2"] class tool_zoho tool action_c2_comm["<b>Action</b> – <b>T1102.001/002/003 Communication</b><br/>C2 via Cloudflare Workers and AWS"] class action_c2_comm action service_cloudflare["<b>Service</b> – <b>Cloudflare Workers</b>"] class service_cloudflare service service_aws["<b>Service</b> – <b>AWS</b>"] class service_aws service action_tunnel["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Traffic tunneled through legitimate services"] class action_tunnel action action_ssh_hijack["<b>Action</b> – <b>T1563.001 Remote Service Session Hijacking (SSH)</b><br/>Hijack using stolen credentials"] class action_ssh_hijack action action_rdp_hijack["<b>Action</b> – <b>T1563.002 Remote Service Session Hijacking (RDP)</b><br/>Hijack RDP sessions"] class action_rdp_hijack action action_exploit_remote["<b>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Lateral movement to internal hosts"] class action_exploit_remote action action_input_capture["<b>Action</b> – <b>T1056.003 Input Capture</b><br/>Web portal credential capture"] class action_input_capture action action_account_manip["<b>Action</b> – <b>T1098.004 Account Manipulation</b><br/>SSH authorized keys added for persistence"] class action_account_manip action malware_qilin["<b>Malware</b> – <b>Qilin Ransomware</b><br/>Encrypts victim data"] class malware_qilin impact %% Connections action_initial –>|leads_to| action_user_exec action_user_exec –>|leads_to| malware_smokedham malware_smokedham –>|leads_to| action_embedded_payload action_embedded_payload –>|leads_to| action_polymorphic action_polymorphic –>|leads_to| action_rat action_rat –>|uses| tool_putty action_rat –>|uses| tool_kitty action_rat –>|uses| tool_zoho action_rat –>|communicates via| action_c2_comm action_c2_comm –>|uses| service_cloudflare action_c2_comm –>|uses| service_aws action_c2_comm –>|enables| action_tunnel action_tunnel –>|enables| action_ssh_hijack action_ssh_hijack –>|enables| action_rdp_hijack action_rdp_hijack –>|enables| action_exploit_remote action_exploit_remote –>|enables| action_input_capture action_input_capture –>|enables| action_account_manip action_account_manip –>|enables| malware_qilin "

Attack Flow

Simulation

We are still updating this part. Sign up to get notified

Notify Me

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free