SMOKEDHAM
SMOKEDHAM is a lightweight, adaptable .NET-based backdoor associated with UNC2465 and used in intrusions linked to DarkSide ransomware deployment. Reported delivery vectors include phishing emails and trojanized software installers, including trojanized Nullsoft installers in a supply-chain intrusion involving SmartPSS and SVStation; the malware has also been described as spread through malvertising campaigns. The SMOKEDHAM source code is embedded in its dropper as an encrypted string.
Observed capabilities include execution of PowerShell commands and arbitrary .NET commands received from its command-and-control (C2) server, keylogging, screenshot capture, exfiltration of data to C2, and host/user discovery. It has used whoami to identify system owners and net.exe user / net.exe users to enumerate local accounts. Its C2 traffic has been encoded with Base64.
SMOKEDHAM has modified Windows Registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP. In one documented UNC2465 intrusion, SMOKEDHAM established persistence for an ngrok-based tunneling component by adding VirtualHost.vbs to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run under the value WindNT. SMOKEDHAM also used PowerShell to connect to third-party file-sharing sites and download an ngrok utility; UNC2465 was observed using Google Drive and Dropbox to host files downloaded by victims via malicious links. In the same activity, a legitimate ngrok binary renamed to conhost.exe and configured with ngrok.yml was used to expose remote access services, including tunneling UltraVNC traffic.
Additional reported behaviors include creating user accounts and supporting follow-on access and lateral movement. Known infrastructure and indicators mentioned in the content include SMOKEDHAM C2 hosts max-ghoster1.azureedge[.]net, atlant20.azureedge[.]net, and skolibri13.azureedge[.]net; loader samples including Gbdh7yghJgbj3bb.html (MD5: f075c2894ac84df4805e8ccf6491a4f4) and another sample with MD5 05d38c7e957092f7d0ebfc7bf1eb5365; VirtualHost.vbs (MD5: 84ed6012ec62b0bddcd18058a8ff7ddd); and a renamed legitimate ngrok binary conhost.exe (MD5: e3bc4dd84f7a24f24d790cc289e0a10f).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC2465 now uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Persistence
5 techniques
Persistence
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
APT3 has been known to create or enable accounts, such as support_388945a0 . ... APT5 has created Local Administrator accounts to maintain access ... DarkGate creates a local user account, SafeMode, via net user commands.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.
Privilege Escalation
1 technique
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Defense Impairment
2 techniques
Defense Impairment
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.
Credential Access
2 techniques
Credential Access
Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation
Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”
Lateral Movement
1 technique
Lateral Movement
Aquatic Panda modified the victim registry to enable the RestrictedAdmin mode feature, allowing for pass the hash behaviors to function via RDP. SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP). SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.
Collection
2 techniques
Collection
Command and Control
4 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
“APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads… EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads… Bumblebee has been downloaded… from OneDrive… Operation Spalax… used OneDrive and MediaFire to host payloads… Raspberry Robin… payloads… on Discord servers.”
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy backdoor used by UNC2465 for initial access, persistence, reconnaissance, lateral movement, and enabling extortion/ransomware deployment. It is delivered via trojanized installers (e.g., KeyStore Explorer, Angry IP Scanner), uses DLL side-loading and PowerShell obfuscation, manipulates Windows services (e.g., MSDTC) for persistence/privilege escalation, and communicates with C2 using techniques like domain fronting (e.g., Cloudflare Workers) to obscure traffic origins while executing arbitrary PowerShell commands and exfiltrating recon data.
Enterprise New Software: ... SMOKEDHAM
SMOKEDHAM is a .NET-based backdoor that provides remote access to compromised systems. It supports commands such as screen capture, keystroke logging, and execution of arbitrary PowerShell commands. It communicates with its C2 server using HTTPS and domain fronting, and uses RC4 encryption for command and data exchange. It is deployed via a PowerShell dropper and is used for persistence, lateral movement, and credential harvesting.
Smokedham is a .NET backdoor used to deliver DarkSide ransomware and provides capabilities including arbitrary .NET command execution, keylogging, and screenshot capture.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.