SMOKELOADER
SmokeLoader is a malware loader/backdoor, also referred to as Dofoil, whose capabilities vary by the modules included in a given build. The content describes it as using deception and self-protection techniques, random API function calls, and a multi-stage decryption process. It uses HTTP for command-and-control, and some reporting notes that it may generate requests to legitimate sites such as microsoft.com, bing.com, and adobe.com to mask activity; downloads may also return HTTP 404 responses that still contain data in the response body. SmokeLoader has been used both as a payload and as a delivery mechanism for other malware. Reported follow-on or associated payloads in the content include Phobos ransomware in 8Base intrusions, as well as Amadey and other commodity malware families. VMware Carbon Black reported that in 8Base activity, SmokeLoader provided initial obfuscation, unpacking, and loading of Phobos ransomware, while SystemBC encrypted command-and-control traffic. The malware is also mentioned in campaigns or ecosystems involving TA577 phishing operations, StealC-linked delivery chains, DanaBot-delivered payloads, and ErrTraffic campaigns. TA577, described in the content as a Russia-based threat group, has delivered SmokeLoader alongside Qbot, IcedID, SystemBC, Ursnif, Cobalt Strike, Pikabot, and DarkGate. The content also links SmokeLoader to broader criminal loader ecosystems repeatedly targeted by Operation Endgame, including server seizures and disruption of botnet customers and infrastructure in 2024-2026. A specific IOC mentioned in the content is the MD5 hash e818a9afd55693d556a47002a7b7ef31, labeled as a SmokeLoader hash.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to deploy SmokeLoader on the compromised host. | Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said.
Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said. | The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to deploy SmokeLoader on the compromised host.
The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
The SmokeLoader backdoor with a range of capabilities which depend on the modules included in any given build of the malware... 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.
Originally specializing in the Panda banking malware in Italy, it has since branched out to Poland, Germany, Spain, and Japan, using a variety of other malware including Chthonic, Smoke Loader, Nymaim, ZLoader, and finally URLZone in combination with Ursnif, both banking Trojans.
SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.
We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application.
A SmokeLoader sample (bac70244...3958, module name wallpapers) shares an identical obfuscation framework with Fuery.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system.
Persistence
5 techniques
Persistence
Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
5 techniques
Privilege Escalation
Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
While the stager's purpose is to decrypt, decompress, and inject the main module into an explorer.exe process...
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniques
Stealth
The malware is delivered in a variety of ways and is notorious for its use of deception and self-protection, using random API function calls and a multi-stage decryption process.
The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
While the stager's purpose is to decrypt, decompress, and inject the main module into an explorer.exe process...
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies... from web browsers...
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
selection_domain_http: url.domain|endswith: - 'karma0.xyz' - 'random-strings.xyz' - 'decrypt-support.xyz' - 'supportpanel.xyz' - 'data-leaks.xyz' ... selection_url_paths: url.path|contains: - '/gate.php' - '/index.php?id='
IOCs tracked for this family
101 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
151 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware family in the dropper/loader ecosystem referenced as a prior law-enforcement target.
SmokeLoader is listed as a malware family delivered in StealC-linked activity.
SmokeLoader is referenced as a malware loader used to propagate Amadey and as a payload distributed within the Amadey ecosystem.
The disruption is the latest phase of Operation Endgame, which previously disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.