Back to Home

Malicious advertising of IT utilities: SmokedHam and Qilin attack

In early 2026, European companies are being attacked through malicious ads for IT utilities. Attackers distribute the SmokedHam backdoor and Qilin ransomware. Analysts link the campaign to the UNC2465 group.

How fake IT tool installers give hackers access to your network
Advertisement 728x90

Malicious IT Utility Ads: How Hackers Infiltrate European Companies via Fake Installers

In early 2026, European organizations faced a new wave of cyberattacks where attackers use malicious ads in search engines to distribute the SmokedHam backdoor disguised as legitimate IT tools. In some cases, the attack culminates in the deployment of the Qilin ransomware. Orange Cyberdefense experts link the campaign to the UNC2465 group, previously known for attacks using DarkSide, LockBit, and Hunters International.

Attack Mechanism: From Ads to Full Control

The attack begins with purchasing search engine ads that promote fake download pages for popular system administrator utilities. A user searching for, say, RVTools or Remote Desktop Manager may click on an ad and download a malicious installer. Once executed, the SmokedHam backdoor is loaded onto the device, granting attackers remote access.

In one incident investigated by Orange Cyberdefense, the infection led to the deployment of the Qilin encryptor. Operators used sophisticated concealment methods: they employed two different employee monitoring solutions, blended malicious activity with legitimate administrative tools (PuTTY, Kitty, Zoho Assist, Total Commander), and used Cloudflare Workers and standard AWS endpoints to mask traffic.

Google AdInline article slot

SmokedHam: Evolution of a Backdoor

Orange Cyberdefense analysts examined over 30 SmokedHam samples collected in 2025-2026. They found that operators constantly modify the tool: delivery methods, persistence techniques, and exploited vulnerabilities change over time. This indicates high group activity and continuous refinement of their arsenal. The backdoor can load additional modules, providing flexibility in conducting attacks.

Who Is Behind the Attacks: The UNC2465 Group

With moderate confidence, Orange Cyberdefense links the campaign to UNC2465. This group or an associated affiliate has previously been involved in attacks using well-known ransomware such as DarkSide, LockBit, and Hunters International. The conclusion is based on overlapping tactics, techniques, and infrastructure. Attackers are actively targeting European organizations, as evidenced by the geographic distribution of incidents from February to April 2026.

Key Points

  • Malicious ads in search engines are an effective initial intrusion vector into European companies.
  • The SmokedHam backdoor is distributed disguised as legitimate IT utilities (RVTools, Remote Desktop Manager, PuTTY).
  • In some attacks, SmokedHam is followed by the deployment of the Qilin encryptor.
  • Operators use multiple layers of concealment: legitimate administrative tools, Cloudflare Workers, AWS.
  • The UNC2465 group, linked to past ransomware attacks, is likely behind the campaign.

Context and Implications

Using malvertising to distribute malware is not a new tactic, but its effectiveness is growing due to the ability to target specific professional groups. System administrators and IT professionals searching for work tools become priority targets. Since attacks target European organizations, companies need to tighten download controls, implement multi-factor authentication, and train employees to recognize suspicious ads.

Google AdInline article slot

For protection, it is recommended to use official download sources, verify installer digital signatures, and limit administrative privileges. It is also important to monitor network traffic for suspicious connections via Cloudflare Workers or AWS.

— Editorial Team

Advertisement 728x90

Read Next