One “wrong clique” on the link in the search engine is able to deprive you of all the data.
At the beginning of 2026, the search ads again became a convenient screen for attacks on European companies. Orange Cyberdefense has described chains of infection, in which under the guise of familiar IT-utilities spread backdor SmokedHam, and in one of the incidents it came to the Qilin cipher. According to the team, behind the campaign may be a well-known in the environment of cyber-engineers figure associated with high-profile attacks of past years.
From February to early April, the Orange Cyberdefense CERT dealt with several incidents from three customers from Europe. In all cases, the attackers used malicious advertising and disguised infected installers for legitimate tools, including PVTools and Remote Desktop Manager. After launching a fake distribution, SmokedHam appeared on the devices.
In one of the episodes, the infection was not limited to hidden access. The attack ended with the deployment of Qilin. To hide activity, operators used two solutions for monitoring employees, and also mixed malicious actions with conventional administrative tools, including PuTTY, Kitty, Zoho Assist and Total Commander. Additionally, the infrastructure included Cloudflare Workers to hide the real traffic route and standard AWS endpoints.
Orange Cyberdefense connects the campaign with UNC2465 with moderate confidence. Analysts point out that the group or associated partner previously appeared in attacks using DarkSide, LockBit and Hunters International. Communication is built at intersections in tactics, technicians and infrastructure.
The authors of the report paid special attention to SmokedHam itself. The team compared more than 30 samples collected in 2025 and 2026, and came to the conclusion that the operator is rapidly changing the tools. Different options have different ways of delivery and fixing in the system, which indicates a constant refinement of the arsenal and high activity of attackers.
Experts also found several malicious domains through which SmokedHam spread. Such sites used malvercasting and issued infected files for popular service programs. According to Observations of Orange Cyberdefense, since the beginning of 2026, the interest of attackers has become more noticeable in the direction of European organizations.
At the beginning of 2026, the search ads again became a convenient screen for attacks on European companies. Orange Cyberdefense has described chains of infection, in which under the guise of familiar IT-utilities spread backdor SmokedHam, and in one of the incidents it came to the Qilin cipher. According to the team, behind the campaign may be a well-known in the environment of cyber-engineers figure associated with high-profile attacks of past years.
From February to early April, the Orange Cyberdefense CERT dealt with several incidents from three customers from Europe. In all cases, the attackers used malicious advertising and disguised infected installers for legitimate tools, including PVTools and Remote Desktop Manager. After launching a fake distribution, SmokedHam appeared on the devices.
In one of the episodes, the infection was not limited to hidden access. The attack ended with the deployment of Qilin. To hide activity, operators used two solutions for monitoring employees, and also mixed malicious actions with conventional administrative tools, including PuTTY, Kitty, Zoho Assist and Total Commander. Additionally, the infrastructure included Cloudflare Workers to hide the real traffic route and standard AWS endpoints.
Orange Cyberdefense connects the campaign with UNC2465 with moderate confidence. Analysts point out that the group or associated partner previously appeared in attacks using DarkSide, LockBit and Hunters International. Communication is built at intersections in tactics, technicians and infrastructure.
The authors of the report paid special attention to SmokedHam itself. The team compared more than 30 samples collected in 2025 and 2026, and came to the conclusion that the operator is rapidly changing the tools. Different options have different ways of delivery and fixing in the system, which indicates a constant refinement of the arsenal and high activity of attackers.
Experts also found several malicious domains through which SmokedHam spread. Such sites used malvercasting and issued infected files for popular service programs. According to Observations of Orange Cyberdefense, since the beginning of 2026, the interest of attackers has become more noticeable in the direction of European organizations.
