Published on: December 6, 2024
A new cyber threat linked to the well-known UNC2465 group has security experts sounding the alarm. UNC2465, previously associated with the infamous Darkside ransomware group, is deploying a sophisticated Windows backdoor dubbed “Smoked Ham.” Despite law enforcement disruptions to Darkside and similar groups, UNC2465 has adapted its methods, leveraging the backdoor to infiltrate networks and maintain persistent access.
According to researchers at Trac-Labs, Smoked Ham is delivered through phishing emails, malicious ads on platforms like Google and Bing, and software installers. In a worrying twist, the malware’s payloads are often hosted on widely trusted platforms such as Google Drive and Dropbox, allowing the attackers to bypass some security measures.
“UNC2465 is a cyber threat cluster known for conducting multifaceted extortion campaigns, including supply chain attacks and ransomware deployments. In recent activity, UNC2465 has leveraged trojanized installers disguised as legitimate tools, such as KeyStore Explorer and Angry IP Scanner, to deliver SMOKEDHAM payloads,” the researchers stated.
Security researchers warn that although groups like Darkside may disband, their affiliates continue to refine their tactics. Organizations are urged to implement robust endpoint detection, educate employees about phishing and malvertising, and remain vigilant against signs of unauthorized network activity.
This analysis reinforces the need for organizations to stay one step ahead of increasingly innovative cybercriminals. As UNC2465 shifts its focus and methodologies, security experts emphasize the importance of layered defenses and proactive threat hunting to mitigate risks.