SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware.
SMOKELOADER
SmokeLoader, also known as Dofoil and SmokeLdr, is a long-running Windows malware family active since at least 2011 that primarily serves as a loader and backdoor for follow-on payloads.
Profile source: Mallory opens in a new tabSMOKELOADER
Family profile
SmokeLoader, also known as Dofoil and SmokeLdr, is a long-running Windows malware family active since at least 2011 that primarily serves as a loader and backdoor for follow-on payloads. It has been used in criminal operations to deliver additional malware, especially information stealers, and has been associated with the threat actor commonly tracked as Smoky Spider. It also appears in broader crimeware delivery ecosystems involving groups such as TA577 and ransomware operations including 8Base, where it has been used to stage or load later malware components.
SmokeLoader is characterized by heavy packing, runtime API resolution, code obfuscation, and anti-analysis protections. Reported samples use dynamic import reconstruction, API hashing, hidden or indirect control flow, on-demand code decryption, anti-debugging checks, anti-virtualization logic, and process or module enumeration to frustrate reverse engineering and automated analysis. Some variants also perform locale or keyboard-language checks to avoid infecting systems associated with parts of the CIS region.
A common execution pattern involves creating a legitimate process in a suspended state, unmapping its original image, writing a malicious payload into the remote process, adjusting thread context, and resuming execution. This process hollowing workflow has been observed both in unpacking shellcode and in later-stage execution. SmokeLoader has also been observed injecting into legitimate Windows processes such as explorer.exe, including section-based injection techniques, to conceal execution and support command-and-control activity or delivery of additional malware.
Operationally, SmokeLoader is most notable for enabling downstream compromise rather than acting as the final payload itself. Depending on the build and included modules, it can function as a backdoor with modular capabilities while downloading, unpacking, and launching secondary malware. It has been observed in phishing-driven intrusion chains and in malware distribution ecosystems where other loaders or potentially unwanted software can also install it. Its role in the cybercrime supply chain has made it a recurring target of international disruption efforts under Operation Endgame.
Capabilities
- Defense Evasion
- Initial Access
- Post Exploitation
- Process Injection
Reported operators
Threat actors
8 named in public reportingTA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
The SmokeLoader backdoor with a range of capabilities which depend on the modules included in any given build of the malware... 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.
Originally specializing in the Panda banking malware in Italy, it has since branched out to Poland, Germany, Spain, and Japan, using a variety of other malware including Chthonic, Smoke Loader, Nymaim, ZLoader, and finally URLZone in combination with Ursnif, both banking Trojans.
SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.
We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application.
A SmokeLoader sample (bac70244...3958, module name wallpapers) shares an identical obfuscation framework with Fuery.
"LockBit Group uses #Smokeloader in their attacks"
Exploited software
Vulnerabilities linked to SMOKELOADER
3 CVEsMITRE ATT&CK
SMOKELOADER in ATT&CK
76 distinct techniquesTechniques
76 techniquesReporting
Research mentioning SMOKELOADER
ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul
SmokeLoader6
Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul
SmokeLoader7
Targeting Cybercrime ‘Assembly Lines:’ Europol Announces Malware Crackdown - Decipher
Previously, the FBI and Europol targeted loaders like Bumblebee (in 2024), as well as others in the dropper/loader ecosystem like IcedID, Pikabot, and Smokeloader.
Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks
Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following: ... SmokeLoader ...
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
Amadey has also been propagated via other loaders like Emmenhtal and SmokeLoader. ... A total of 53 unique clusters have been inside the Amadey ecosystem, with the largest botnet cluster distributing payloads like Lumma Stealer, Vidar Stealer, StealC, Rugmi, PureCrypter, Agent Tesla, Rhadmanthys Stealer, RedLine Stealer, SmokeLoader, XWorm, and AsyncRAT.
Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight
Amadey is in turn also delivered by other loaders, with SmokeLoader among them.
Amadey, StealC malware operations disrupted in Operation Endgame action
The disruption is the latest phase of Operation Endgame, which previously disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
StealC you later: Proofpoint and IBM X-Force support Operation Endgame disruptions | IBM
Here is a non-exhaustive list of the malware families we observed being delivered as payloads: ... • SmokeLoader ...