BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.botconf.org//botconf-2026//talk//TVKBBF BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-botconf-2026-TVKBBF@cfp.botconf.org DTSTART;TZID=CET:20260415T121000 DTEND;TZID=CET:20260415T125500 DESCRIPTION:In February 2026\, Orange Cyberdefense CERT responded to a rans omware incident affecting a European organization. The intrusion began wit h a malvertising chain leading to a trojanized RVTools installer and the d eployment of the SmokedHam backdoor\, ultimately culminating in Qilin rans omware encryption of ESXi virtual machines. This presentation reconstructs the full infection chain - from Google Ads to extortion - and details the attacker’s post-compromise tradecraft.\n\nBeyond SmokedHam\, the case h ighlights several notable techniques: abuse of employee monitoring (“bos sware”) tools to blend malicious activity with legitimate user behavior\ , domain fronting via Cloudflare Workers\, systematic use of AWS infrastru cture for staging and exfiltration\, and the recurring use of revoked Exte nded Validation code-signing certificates obtained through impersonation o f Asian businesses. We also analyze more than 30 SmokedHam samples collect ed in 2025–2026\, exposing continuous malware evolution\, variant testin g\, and iterative refinement of persistence and staging mechanisms.\n\nTec hnical overlaps and operational patterns strongly align with UNC2465\, a R ussian-speaking ransomware affiliate historically linked to DarkSide\, Loc kBit\, and Hunters International. The deployment of a Qilin encryptor sugg ests a shift in affiliation during 2025. By pivoting on typosquatted domai ns\, and analyzing underground forum activity\, we are able to share new i nsights on the affiliate’s modus operandi\, including its traffer recrui tment and recent incapacity to manipulate or delete Veam Cloud backups. DTSTAMP:20260429T221911Z LOCATION:Amphitheater SUMMARY:Smoking Out an Affiliate: SmokedHam\, Qilin\, a few Google ads and some bossware - Marine Pichon\, Alexis Goodfaith\, Thomas URL:https://cfp.botconf.org/botconf-2026/talk/TVKBBF/ END:VEVENT END:VCALENDAR