Our CERT is releasing a new research into UNC2465, a ransomware affiliate actively distributing Qilin across Europe . A TLP:RED version of this research was presented during @botconf 2026.https://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bosswareUNC2465 primarily relies on malvertising to distribute the SmokedHam backdoor. By pivoting on its delivery infrastructure, we identified a large number of spoofed software like RVTools, @hornetsecurity , Angry IP Scanner, Remote Desktop Manager...UNC2465 also relies on bossware like ControlioNet and Teramindco to further blend malicious actions with normal activity and avoid detection.IOCs are available here: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs#CTI #ThreatIntel #SmokedHam #UNC2465 #ransomware #Qilin #rvtools #bossware
