SmokeLoader
Also known as: Dofoil, Sharik, Smoke, Smoke Loader
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 15, 2026 | 3 |
| Apr 14, 2026 | 25 |
| Apr 13, 2026 | 21 |
| Apr 12, 2026 | 34 |
| Apr 11, 2026 | 72 |
| Apr 10, 2026 | 44 |
| Apr 9, 2026 | 76 |
Further Reading
Explore the beauty of Seychelles and its C(2) Shore with our technology company. Discover the perfect blend of nature and innovation on this breathtaking island.
One of the oldest malware families that is still in use today learned some new tricks: A special way to encrypt CC server URLs.
The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.
Part 1 | A technical analysis of SmokeLoader changes through the years.
Two new SmokeLoader versions have been identified that fix significant bugs as well as introduce additional measures to evade static and behavior based detections.