Skip to content
Malware family Windows

SMOKELOADER

SmokeLoader, also known as Dofoil and SmokeLdr, is a long-running Windows malware family active since at least 2011 that primarily serves as a loader and backdoor for follow-on payloads.

Profile source: Mallory opens in a new tab

SMOKELOADER

Family profile

SmokeLoader, also known as Dofoil and SmokeLdr, is a long-running Windows malware family active since at least 2011 that primarily serves as a loader and backdoor for follow-on payloads. It has been used in criminal operations to deliver additional malware, especially information stealers, and has been associated with the threat actor commonly tracked as Smoky Spider. It also appears in broader crimeware delivery ecosystems involving groups such as TA577 and ransomware operations including 8Base, where it has been used to stage or load later malware components.

SmokeLoader is characterized by heavy packing, runtime API resolution, code obfuscation, and anti-analysis protections. Reported samples use dynamic import reconstruction, API hashing, hidden or indirect control flow, on-demand code decryption, anti-debugging checks, anti-virtualization logic, and process or module enumeration to frustrate reverse engineering and automated analysis. Some variants also perform locale or keyboard-language checks to avoid infecting systems associated with parts of the CIS region.

A common execution pattern involves creating a legitimate process in a suspended state, unmapping its original image, writing a malicious payload into the remote process, adjusting thread context, and resuming execution. This process hollowing workflow has been observed both in unpacking shellcode and in later-stage execution. SmokeLoader has also been observed injecting into legitimate Windows processes such as explorer.exe, including section-based injection techniques, to conceal execution and support command-and-control activity or delivery of additional malware.

Operationally, SmokeLoader is most notable for enabling downstream compromise rather than acting as the final payload itself. Depending on the build and included modules, it can function as a backdoor with modular capabilities while downloading, unpacking, and launching secondary malware. It has been observed in phishing-driven intrusion chains and in malware distribution ecosystems where other loaders or potentially unwanted software can also install it. Its role in the cybercrime supply chain has made it a recurring target of international disruption efforts under Operation Endgame.

Capabilities

  • Defense Evasion
  • Initial Access
  • Post Exploitation
  • Process Injection

Reported operators

Threat actors

8 named in public reporting
SMOKY SPIDER

SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware.

TA577

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.

8Base

The SmokeLoader backdoor with a range of capabilities which depend on the modules included in any given build of the malware... 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.

TA544

Originally specializing in the Panda banking malware in Italy, it has since branched out to Poland, Germany, Spain, and Japan, using a variety of other malware including Chthonic, Smoke Loader, Nymaim, ZLoader, and finally URLZone in combination with Ursnif, both banking Trojans.

Smokey Spider

SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.

UAC-0006

We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application.

ingermany

A SmokeLoader sample (bac70244...3958, module name wallpapers) shares an identical obfuscation framework with Fuery.

LockBit

"LockBit Group uses #Smokeloader in their attacks"

Exploited software

Vulnerabilities linked to SMOKELOADER

3 CVEs

MITRE ATT&CK

SMOKELOADER in ATT&CK

76 distinct techniques

Techniques

76 techniques
T1547.001 Registry Run Keys / Startup Folder T1027 Obfuscated Files or Information T1027.002 Software Packing T1497 Virtualization/Sandbox Evasion T1027.007 Dynamic API Resolution T1622 Debugger Evasion T1566 Phishing T1055.012 Process Hollowing T1055 Process Injection T1105 Ingress Tool Transfer T1106 Native API T1059.003 Windows Command Shell T1055.001 Dynamic-link Library Injection T1057 Process Discovery T1140 Deobfuscate/Decode Files or Information T1134 Access Token Manipulation T1620 Reflective Code Loading T1543 Create or Modify System Process T1566.001 Spearphishing Attachment T1129 Shared Modules T1497.001 System Checks T1036 Masquerading T1027.016 Junk Code Insertion T1614.001 System Language Discovery T1573 Encrypted Channel T1082 System Information Discovery T1071.001 Web Protocols T1012 Query Registry T1033 System Owner/User Discovery T1564.003 Hidden Window T1070.004 File Deletion T1071 Application Layer Protocol T1204.002 Malicious File T1083 File and Directory Discovery T1608.001 Upload Malware T1059.001 PowerShell T1555 Credentials from Password Stores T1539 Steal Web Session Cookie T1005 Data from Local System T1498 Network Denial of Service T1203 Exploitation for Client Execution T1037 Boot or Logon Initialization Scripts T1112 Modify Registry T1053.005 Scheduled Task T1555.003 Credentials from Web Browsers T1037.001 Logon Script (Windows) T1036.005 Match Legitimate Resource Name or Location T1583.003 Virtual Private Server T1070.006 Timestomp T1119 Automated Collection T1041 Exfiltration Over C2 Channel T1571 Non-Standard Port T1583.001 Domains T1553.002 Code Signing T1189 Drive-by Compromise T1036.001 Invalid Code Signature T1001 Data Obfuscation T1056 Input Capture T1480.002 Mutual Exclusion T1566.002 Spearphishing Link T1573.001 Symmetric Cryptography T1562.004 Disable or Modify System Firewall T1053 Scheduled Task/Job T1568 Dynamic Resolution T1204 User Execution T1059.005 Visual Basic T1027.009 Embedded Payloads T1027.013 Encrypted/Encoded File T1114.001 Local Email Collection T1190 Exploit Public-Facing Application T1552.001 Credentials In Files T1001.003 Protocol or Service Impersonation T1055.002 Portable Executable Injection T1588.002 Tool T1598 Phishing for Information T1055.004 Asynchronous Procedure Call

Reporting

Research mentioning SMOKELOADER

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

SmokeLoader6

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

SmokeLoader7

Jun 25
Decipher Sc

Targeting Cybercrime ‘Assembly Lines:’ Europol Announces Malware Crackdown - Decipher

Previously, the FBI and Europol targeted loaders like Bumblebee (in 2024), as well as others in the dropper/loader ecosystem like IcedID, Pikabot, and Smokeloader.

Jun 24
Hackread

Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks

Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following: ... SmokeLoader ...

Jun 24
The Hacker News

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Amadey has also been propagated via other loaders like Emmenhtal and SmokeLoader. ... A total of 53 unique clusters have been inside the Amadey ecosystem, with the largest botnet cluster distributing payloads like Lumma Stealer, Vidar Stealer, StealC, Rugmi, PureCrypter, Agent Tesla, Rhadmanthys Stealer, RedLine Stealer, SmokeLoader, XWorm, and AsyncRAT.

Jun 24
Bitsight

Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight

Amadey is in turn also delivered by other loaders, with SmokeLoader among them.

Jun 24
Bleeping Computer

Amadey, StealC malware operations disrupted in Operation Endgame action

The disruption is the latest phase of Operation Endgame, which previously disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.

Jun 24
Ibm

StealC you later: Proofpoint and IBM X-Force support Operation Endgame disruptions | IBM

Here is a non-exhaustive list of the malware families we observed being delivered as payloads: ... • SmokeLoader ...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.