SmokeLoader

Overview

SmokeLoader is one of the oldest and most persistent malware loaders still in active operation. It is sold on underground forums and used to download and execute other malware payloads. SmokeLoader is known for its modular architecture and sophisticated anti-analysis techniques.

Also Known As

Smoke Loader, Dofoil, Sharik

How It Spreads

• • Phishing emails with malicious attachments
• • Fake cracked software and keygens
• • Malicious advertisements
• • Exploit kits
• • Other malware (as second-stage)

What It Does

• • Downloads and executes other malware payloads
• • Provides persistent access to infected systems
• • Evades detection using multiple anti-analysis techniques
• • Steals browser data and credentials (via plugins)
• • Can deploy ransomware, stealers, or banking trojans
• • Injects into legitimate processes

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Monitor for process injection into explorer.exe
• • Detect anti-VM and anti-sandbox checks
• • Alert on connections to known SmokeLoader infrastructure
• • Watch for unusual code injection patterns
• • Monitor for download and execute behavior

MITRE ATT&CK Techniques

T1055, T1027, T1497, T1105, T1071.001