The 8Base ransomware, identified by Cisco Talos, is utilizing a variant of the Phobos ransomware in financially motivated attacks. The cybercriminals behind 8Base deploy Phobos through SmokeLoader, a backdoor trojan, with a unique approach: the ransomware is embedded within encrypted payloads, decrypted, and loaded into SmokeLoader's memory during 8Base campaigns. This method distinguishes 8Base, active since at least March 2022, as it merges ransomware into an existing trojan. Cisco Talos findings reveal SmokeLoader serves as a launchpad for the Phobos payload, executing steps for persistence, process termination, system recovery disablement, backup deletion, and shadow copy removal. The Phobos ransomware itself demonstrates a structured encryption strategy, utilizing a hard-coded RSA key that could enable decryption once the private RSA key is known. This highlights the evolving tactics of ransomware operators and their increasingly sophisticated approaches.