ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Smoke Loader

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Smoke Loader

NamesSmoke Loader
SmokeLoader
Smoke
Dofoil
Sharik
CategoryMalware
TypeBotnet, Downloader, Miner
DescriptionThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

SmokeLoader, in addition to being used to download standalone coinminers, is available on underground markets with a built-in coinminer module for an additional fee.
Information<https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/>
<https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/>
<https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/>
<https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html>
<https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/>
<https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis>
<https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign>
<https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo>
<https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/>
<https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/>
<https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait>
<https://www.cert.pl/en/news/single/dissecting-smoke-loader/>
<https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/>
<http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor>
MITRE ATT&CK<https://attack.mitre.org/software/S0226/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Smoke%20Loader>

Last change to this tool card: 14 June 2021

Download this tool card in JSON format

Previous: SMBTrap
Next: SmsSpy

All groups using tool Smoke Loader

ChangedNameCountryObserved

APT groups

 TA530[Unknown]2016-Nov 2016 

Other groups

 Bamboo Spider, TA544[Unknown]2016-May 2020X
 Smoky Spider[Unknown]2011-Apr 2019X
 TA516[Unknown]2016-Feb 2020 

4 groups listed (1 APT, 3 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key