Smoke Loader

Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations and potentially stealing personal information or holding data for ransom. The SCPC SSSCIP report documents 23 waves of Smoke Loader attacks from May through December 2023, with the first notification of its activity under the UAC-0006 identifier issued by CERT-UA on May 5, 2023. While no specific threat actor has been confirmed, various sources suspect UAC-0006 might be associated with Russian cybercrime. This group uses Smoke Loader to download additional malware in attempts to steal funds from Ukrainian enterprises. Smoke Loader is being sold on platforms like grabberz.com, making it an ideal candidate for any attack from the perspective of threat actors. As a well-known and currently active malware-as-a-service, Smoke Loader poses a significant threat to cybersecurity. Palo Alto Networks has collaborated with the SCPC SSSCIP to provide actionable threat intelligence to mitigate these attacks. For a deeper understanding of the technical aspects of UAC-0006 Smoke Loader campaigns in Ukraine, refer to the SCPC SSSCIP report. Palo Alto Networks' customers are better protected against Smoke Loader through a range of services including Cortex XDR, XSIAM, and Next-Generation Firewall with Cloud-Delivered Security Services. These services include Advanced WildFire, DNS Security, Advanced Threat Prevention, and Advanced URL Filtering. Prioritizing security measures and cultivating smart online habits significantly reduces the risk of falling victim to malware like Smoke Loader.