| SYMBOL | COMMON_NAME | aka. SYNONYMS |
win.smokeloader (Back to overview)
SmokeLoader
aka: Dofoil, Sharik, Smoke, Smoke Loader
Actor(s): SMOKY SPIDER, UAC-0006
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
References
| 2025-04-09
⋅
Europol
⋅
Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns SmokeLoader |
| 2025-03-28
⋅
Intrinsec
⋅
From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 sLoad NetSupportManager RAT Remcos SmokeLoader |
| 2025-02-06
⋅
Hunt.io
⋅
SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries SmokeLoader |
| 2025-02-04
⋅
Trend Micro
⋅
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks SmokeLoader |
| 2024-12-02
⋅
FortiGuard Labs
⋅
SmokeLoader Attack Targets Companies in Taiwan SmokeLoader |
| 2024-11-07
⋅
Perception Point
⋅
Evasive ZIP Concatenation: Trojan Targets Windows Users SmokeLoader |
| 2024-10-17
⋅
Loader Insight Agency
⋅
Correlating Vidar Stealer Build IDs Based on Loader Tasks Lumma Stealer SmokeLoader Vidar |
| 2024-07-02
⋅
Sekoia
⋅
Exposing FakeBat loader: distribution methods and adversary infrastructure BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar |
| 2024-06-11
⋅
Zscaler
⋅
A Brief History of SmokeLoader, Part 1 SmokeLoader |
| 2024-05-30
⋅
Europol
⋅
Largest ever operation against botnets hits dropper malware ecosystem BumbleBee IcedID SmokeLoader SystemBC TrickBot |
| 2024-03-05
⋅
CIP
⋅
Semi-Annual Chronicles of UAC-0006 Operations SmokeLoader |
| 2024-03-01
⋅
farghlymal github.io
⋅
Taking a deep dive into SmokeLoader SmokeLoader |
| 2024-02-28
⋅
Spamhaus
⋅
Toot about SmokeLoader dropping Xehook Stealer SmokeLoader |
| 2024-01-30
⋅
ANY.RUN
⋅
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP |
| 2024-01-06
⋅
irfan_eternal
⋅
Understanding Internals of SmokeLoader SmokeLoader |
| 2023-11-19
⋅
Twitter (@embee_research)
⋅
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike Amadey Cobalt Strike RedLine Stealer SmokeLoader |
| 2023-10-24
⋅
National Security and Defense Council of Ukraine
⋅
The Surge in SmokeLoader Attacks on Ukrainian Institutions SmokeLoader |
| 2023-10-12
⋅
Cluster25
⋅
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations Agent Tesla Crimson RAT Nanocore RAT SmokeLoader |
| 2023-09-28
⋅
HarfangLab
⋅
Loader Galore - TaskLoader at the start of a Pay-per-Install Infection Chain CustomerLoader Fabookie LgoogLoader SmokeLoader |
| 2023-08-23
⋅
Logpoint
⋅
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses 8Base Phobos SmokeLoader SystemBC |
| 2023-07-17
⋅
Acronis
⋅
8Base ransomware stays unseen for a year 8Base Phobos SmokeLoader |
| 2023-06-28
⋅
vmware
⋅
8Base Ransomware: A Heavy Hitting Player 8Base Phobos SmokeLoader SystemBC |
| 2023-06-24
⋅
Twitter (@embee_research)
⋅
SmokeLoader - Malware Analysis and Decoding With Procmon SmokeLoader |
| 2023-02-27
⋅
PRODAFT Threat Intelligence
⋅
RIG Exploit Kit: In-Depth Analysis Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader |
| 2022-11-19
⋅
Malwarology
⋅
Malicious Packer pkr_ce1a SmokeLoader Vidar |
| 2022-11-17
⋅
Trellix
⋅
Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop zgRAT SmokeLoader zgRAT |
| 2022-10-07
⋅
YouTube (BSides Portland)
⋅
SmokeLoader - The Pandora's box of Tricks SmokeLoader |
| 2022-09-29
⋅
Team Cymru
⋅
Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM. Amadey Raccoon RedLine Stealer SmokeLoader STOP |
| 2022-09-26
⋅
Kaspersky
⋅
NullMixer: oodles of Trojans in a single dropper ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar |
| 2022-09-15
⋅
Sekoia
⋅
PrivateLoader: the loader of the prevalent ruzki PPI service Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer |
| 2022-08-31
⋅
BitSight
⋅
Tracking PrivateLoader: Malware Distribution Service PrivateLoader RedLine Stealer SmokeLoader |
| 2022-08-30
⋅
Github (vc0RExor)
⋅
SmokeLoader - Quick-Analysis SmokeLoader |
| 2022-08-25
⋅
OALabs
⋅
SmokeLoader Triage Taking a look how Smoke Loader works SmokeLoader |
| 2022-08-08
⋅
Fortinet
⋅
Life After Death - SmokeLoader Continues to Haunt Using Old Vulnerabilities SmokeLoader zgRAT |
| 2022-08-08
⋅
Medium CSIS Techblog
⋅
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
| 2022-07-29
⋅
Blackberry
⋅
SmokeLoader Malware Used to Augment Amadey Infostealer Amadey SmokeLoader |
| 2022-07-27
⋅
Darktrace
⋅
PrivateLoader: Network-Based Indicators of Compromise PrivateLoader SmokeLoader |
| 2022-07-21
⋅
AhnLab
⋅
Amadey Bot Being Distributed Through SmokeLoader Amadey SmokeLoader |
| 2022-06-21
⋅
SonicWall
⋅
HTML Application Files are being used to distribute Smoke Loader Malware SmokeLoader |
| 2022-04-20
⋅
CISA
⋅
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
| 2022-04-20
⋅
CISA
⋅
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
| 2022-04-12
⋅
AhnLab
⋅
SystemBC Being Used by Various Attackers Emotet SmokeLoader SystemBC |
| 2022-02-18
⋅
Bleeping Computer
⋅
New Golang botnet empties Windows users’ cryptocurrency wallets Anubis Loader SmokeLoader |
| 2022-02-17
⋅
Blackberry
⋅
Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA Arkei Stealer SmokeLoader |
| 2022-02-08
⋅
Intel 471
⋅
PrivateLoader: The first step in many malware schemes Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar |
| 2022-01-01
⋅
Silent Push
⋅
Privacy tools (not) for you SmokeLoader |
| 2021-06-17
⋅
Analysis of SmokeLoader SmokeLoader |
| 2021-06-10
⋅
ZAYOTEM
⋅
SmokeLoader Technical Analysis Report SmokeLoader |
| 2021-05-26
⋅
DeepInstinct
⋅
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
| 2021-05-19
⋅
Intel 471
⋅
Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
| 2021-04-12
⋅
PTSecurity
⋅
PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
| 2021-03-21
⋅
Blackberry
⋅
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
| 2021-03-18
⋅
Proofpoint
⋅
Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft CopperStealer SmokeLoader |
| 2021-02-23
⋅
CrowdStrike
⋅
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-18
⋅
PTSecurity
⋅
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/ Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
| 2021-02-02
⋅
⋅
CRONUP
⋅
De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
| 2021-02-01
⋅
Microsoft
⋅
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations Dridex Emotet Makop Ransomware SmokeLoader TrickBot |
| 2021-01-18
⋅
Medium csis-techblog
⋅
GCleaner — Garbage Provider Since 2019 Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP |
| 2021-01-11
⋅
AhnLab
⋅
Smoke Loader Learns New Tricks SmokeLoader |
| 2021-01-09
⋅
Marco Ramilli's Blog
⋅
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
| 2020-12-23
⋅
0xC0DECAFE
⋅
Detect RC4 in (malicious) binaries SmokeLoader Zloader |
| 2020-12-21
⋅
Cisco Talos
⋅
2020: The year in malware WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader |
| 2020-12-17
⋅
Telekom
⋅
Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs SmokeLoader |
| 2020-09-09
⋅
Malwarebytes
⋅
Malvertising campaigns come back in full swing Raccoon SmokeLoader |
| 2020-09-02
⋅
Cisco Talos
⋅
Salfram: Robbing the place without removing your name tag Ave Maria ISFB SmokeLoader Zloader |
| 2020-08-27
⋅
Hatching.io
⋅
Smokeloader Analysis and More Family Detections SmokeLoader |
| 2020-06-22
⋅
m.alvar.es
⋅
Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case SmokeLoader |
| 2020-06-21
⋅
N1ght-W0lf Blog
⋅
Deep Analysis of SmokeLoader SmokeLoader |
| 2020-06-10
⋅
m.alvar.es
⋅
Unpacking Smokeloader and Reconstructing PE Programatically using LIEF SmokeLoader |
| 2020-05-24
⋅
Positive Technologies
⋅
Operation TA505: network infrastructure. Part 3. AndroMut Buhtrap SmokeLoader |
| 2020-05-24
⋅
Malware and Stuff
⋅
Examining Smokeloader’s Anti Hooking technique SmokeLoader |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-02-18
⋅
Github (DanusMinimus)
⋅
Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2) SmokeLoader |
| 2019-11-21
⋅
SentinelOne
⋅
Going Deep | A Guide to Reversing Smoke Loader Malware SmokeLoader |
| 2019-10-31
⋅
m.alvar.es
⋅
Dynamic Imports and Working Around Indirect Calls - Smokeloader Study Case SmokeLoader |
| 2019-08-05
⋅
security.neurolabs
⋅
Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer? SmokeLoader |
| 2019-07-09
⋅
Check Point
⋅
The 2019 Resurgence of Smokeloader SmokeLoader |
| 2019-05-02
⋅
Proofpoint
⋅
2019: The Return of Retefe Dok Retefe SmokeLoader |
| 2018-12-19
⋅
Palo Alto Networks Unit 42
⋅
Analysis of Smoke Loader in New Tsunami Campaign SmokeLoader |
| 2018-09-18
⋅
int 0xcc blog
⋅
A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait SmokeLoader |
| 2018-08-14
⋅
Plug it, play it, burn it, rip it
⋅
Anti-Hooking checks of SmokeLoader 2018 SmokeLoader |
| 2018-07-18
⋅
CERT.PL
⋅
Dissecting Smoke Loader SmokeLoader |
| 2018-07-03
⋅
Talos Intelligence
⋅
Smoking Guns - Smoke Loader learned new tricks SmokeLoader TrickBot |
| 2018-04-16
⋅
Spamhaus
⋅
Smoke Loader malware improves after Microsoft spoils its Campaign SmokeLoader |
| 2018-04-04
⋅
Microsoft
⋅
Hunting down Dofoil with Windows Defender ATP SmokeLoader |
| 2018-01-12
⋅
Malwarebytes
⋅
Fake Spectre and Meltdown patch pushes Smoke Loader malware SmokeLoader |
| 2017-08-24
⋅
Blaze's Security Blog
⋅
Crystal Finance Millennium used to spread malware Chthonic SmokeLoader |
| 2017-08-04
⋅
PhishLabs
⋅
Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis SmokeLoader |
| 2017-04-03
⋅
Malware Breakdown
⋅
Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader SmokeLoader |
| 2016-10-17
⋅
Malwarebytes
⋅
New-looking Sundown EK drops Smoke Loader, Kronos banker Kronos SmokeLoader |
| 2016-08-05
⋅
Malwarebytes
⋅
Smoke Loader – downloader with a smokescreen still alive SmokeLoader |
| 2014-10-05
⋅
Eternal Todo
⋅
Dissecting SmokeLoader (or Yulia's sweet ass proposition) SmokeLoader |