Dofoil

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Dofoil, also known as Smoke Loader or Sharik, is a malicious program primarily designed to load other malware onto systems running Microsoft Windows. Originating in the criminal underground as early as 2011, Dofoil has shown resilience and adaptability over the years, with various sources documenting its activity and evolution. This modular botnet malware is relatively small but potent, often used to drop diverse malware families onto compromised computers. Its longevity in the cyber threat landscape attests to its effectiveness and the ongoing demand for such tools in cybercriminal circles. In a notable campaign detected on March 6, Dofoil showcased advanced techniques such as process hollowing on explorer.exe, making it harder for traditional security measures to detect and neutralize it. The command and control (C&C) communication of this malware leverages the decentralized Namecoin network infrastructure, adding another layer of complexity to its operations. These sophisticated tactics enable Dofoil to persist on infected systems and carry out its malicious activities more effectively. Recently, Dofoil has incorporated coin miners into its attacks, marking a shift towards exploiting the growing interest in cryptocurrency. By using a customized mining application, this trojan downloader can hijack system resources of infected machines to mine digital currencies without the user's consent. This not only provides financial gain for the attackers but also adds an additional revenue stream to their illicit activities. As such, despite periods of inactivity, Dofoil does not seem to be planning retirement anytime soon, posing a continued threat to cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Smoke Loader
4
Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations a
Sharik
1
Sharik, also known as Dofoil or Smoke Loader, is a form of malware that targets systems running Microsoft Windows. It is a backdoor program that loads other malicious software onto a computer system, with a wide range of capabilities beyond just loading malware. An early version of this harmful prog
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Bot
Windows
Trojan
Payload
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Dofoil Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
4 months ago
Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor
CERT-EU
a year ago
Smoke Loader Botnet Drops Location Tracker Whiffy Recon Malware
CERT Polska
a year ago
Dissecting Smoke Loader
MITRE
a year ago
Smoke Loader - downloader with a smokescreen still alive | Malwarebytes Labs
MITRE
a year ago
Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign - Microsoft Security Blog