Dofoil

Dofoil, also known as Smoke Loader or Sharik, is a malicious program primarily designed to load other malware onto systems running Microsoft Windows. Originating in the criminal underground as early as 2011, Dofoil has shown resilience and adaptability over the years, with various sources documenting its activity and evolution. This modular botnet malware is relatively small but potent, often used to drop diverse malware families onto compromised computers. Its longevity in the cyber threat landscape attests to its effectiveness and the ongoing demand for such tools in cybercriminal circles. In a notable campaign detected on March 6, Dofoil showcased advanced techniques such as process hollowing on explorer.exe, making it harder for traditional security measures to detect and neutralize it. The command and control (C&C) communication of this malware leverages the decentralized Namecoin network infrastructure, adding another layer of complexity to its operations. These sophisticated tactics enable Dofoil to persist on infected systems and carry out its malicious activities more effectively. Recently, Dofoil has incorporated coin miners into its attacks, marking a shift towards exploiting the growing interest in cryptocurrency. By using a customized mining application, this trojan downloader can hijack system resources of infected machines to mine digital currencies without the user's consent. This not only provides financial gain for the attackers but also adds an additional revenue stream to their illicit activities. As such, despite periods of inactivity, Dofoil does not seem to be planning retirement anytime soon, posing a continued threat to cybersecurity.