Jun 2, 2026
C2 Hosts: 3
SmokeLoader
Also known as: Dofoil, Sharik, Smoke, Smoke Loader
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
Linked Threat Actors
SMOKY SPIDERUAC-0006
C2 Infrastructure
Hosting/VPS 97%
ISP/Residential 3%
Last 7 days
Jun 1, 2026
C2 Hosts: 13
May 28, 2026
C2 Hosts: 19
| Date | C2 Hosts |
|---|---|
| Jun 2, 2026 | 3 |
| Jun 1, 2026 | 13 |
| May 28, 2026 | 19 |
Further Reading
PrivateLoader: the loader of the prevalent ruzki PPI service opens in a new tab
PrivateLoader is a downloader malware family. It is used as part of a PPI service, to deliver payloads of multiple malware families.
blog.sekoia.io
TrellixThrive opens in a new tab
kcm.trellix.com
NullMixer drops Redline Stealer, SmokeLoader and other malware opens in a new tab
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
securelist.com
Tracking PrivateLoader: Malware Distribution Service | Bitsight Research opens in a new tab
Latest analysis on PrivateLoader continued utilization to distribute info stealers, banking trojans, loaders, spambots, and ransomware on Windows machines.
bitsight.com
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA opens in a new tab
cisa.gov
A Deep Dive into Packing Software CryptOne opens in a new tab
A packing software called CryptOne became popular recently among some major threat actors. It was first reported by Fox-IT.
deepinstinct.com
Exploring Seychelles: Team Cymru's Tech Adventure opens in a new tab
Explore the beauty of Seychelles and its C(2) Shore with our technology company. Discover the perfect blend of nature and innovation on this breathtaking island.
team-cymru.com
Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs opens in a new tab
One of the oldest malware families that is still in use today learned some new tricks: A special way to encrypt CC server URLs.
telekom.com
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks opens in a new tab
The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.
trendmicro.com
SmokeLoader History | ThreatLabz opens in a new tab
Part 1 | A technical analysis of SmokeLoader changes through the years.
zscaler.com
Technical Analysis of SmokeLoader Version 2025 | ThreatLabz opens in a new tab
Two new SmokeLoader versions have been identified that fix significant bugs as well as introduce additional measures to evade static and behavior based detections.
zscaler.com