Derp.ca

SmokeLoader

Also known as: Dofoil, Sharik, Smoke, Smoke Loader

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

Linked Threat Actors

SMOKY SPIDERUAC-0006

C2 Infrastructure

Hosting/VPS91%
ISP/Residential9%

Last 7 days

Apr 19, 2026
C2 Hosts: 6
Apr 18, 2026
C2 Hosts: 10
Apr 16, 2026
C2 Hosts: 2
Apr 15, 2026
C2 Hosts: 3
Apr 14, 2026
C2 Hosts: 25
Apr 13, 2026
C2 Hosts: 21

Further Reading

Exploring Seychelles: Team Cymru's Tech Adventure

Explore the beauty of Seychelles and its C(2) Shore with our technology company. Discover the perfect blend of nature and innovation on this breathtaking island.

team-cymru.com
Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs

One of the oldest malware families that is still in use today learned some new tricks: A special way to encrypt CC server URLs.

telekom.com
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.

trendmicro.com
SmokeLoader History | ThreatLabz

Part 1 | A technical analysis of SmokeLoader changes through the years.

zscaler.com
Technical Analysis of SmokeLoader Version 2025 | ThreatLabz

Two new SmokeLoader versions have been identified that fix significant bugs as well as introduce additional measures to evade static and behavior based detections.

zscaler.com