In February 2026, Orange Cyberdefense CERT responded to a ransomware incident affecting a European organization. The intrusion began with a malvertising chain leading to a trojanized RVTools installer and the deployment of the SmokedHam backdoor, ultimately culminating in Qilin ransomware encryption of ESXi virtual machines. This presentation reconstructs the full infection chain - from Google Ads to extortion - and details the attacker’s post-compromise tradecraft.

Beyond SmokedHam, the case highlights several notable techniques: abuse of employee monitoring (“bossware”) tools to blend malicious activity with legitimate user behavior, domain fronting via Cloudflare Workers, systematic use of AWS infrastructure for staging and exfiltration, and the recurring use of revoked Extended Validation code-signing certificates obtained through impersonation of Asian businesses. We also analyze more than 30 SmokedHam samples collected in 2025–2026, exposing continuous malware evolution, variant testing, and iterative refinement of persistence and staging mechanisms.

Technical overlaps and operational patterns strongly align with UNC2465, a Russian-speaking ransomware affiliate historically linked to DarkSide, LockBit, and Hunters International. The deployment of a Qilin encryptor suggests a shift in affiliation during 2025. By pivoting on typosquatted domains, and analyzing underground forum activity, we are able to share new insights on the affiliate’s modus operandi, including its traffer recruitment and recent incapacity to manipulate or delete Veam Cloud backups.

A small talk about how good labelling of threats and malware is really helpful for analysts