Smokeloader

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Smokeloader is a notorious malware that has been utilized extensively by Phobos actors to carry out ransomware attacks. The malware, often delivered through suspicious downloads, emails, or websites, embeds itself into the victim's system as a hidden payload. Once inside, it enables threat actors to download the Phobos payload and exfiltrate data from the compromised system. Smokeloader is also used to inject code into running processes to find an entry point, typically through enabling a VirtualAlloc or VirtualProtect process. In some instances, threat actors use spoofed email attachments embedded with hidden payloads like Smokeloader, which operates in conjunction with other open-source tools such as Cobalt Strike and Bloodhound. The use of Smokeloader has been linked to several high-profile cybercriminal activities, including those involving various information stealers like Mystic Stealer, Rise Pro, and Redline; and loaders like Amadey. Eight Russian nationals, including Airat Gruber, the suspected admin of Smokeloader, have been added to Europe's most wanted fugitives list for their roles in developing botnets like Smokeloader and TrickBot. Other individuals sought include Oleg Kucherov, Sergey Polyak, Fedor Andreev, Georgy Tesman, and Anton Bragin, all wanted for their roles in operating and extorting ransomware. In late May 2024, an international law enforcement operation codenamed Operation Endgame targeted and dismantled the infrastructure supporting various malware strains, including Smokeloader. This action followed warnings issued by Ukraine’s CERT-UA in May 2023 about phishing campaigns distributing the SmokeLoader malware. The successful operation disrupted five major botnets, including IcedID and SmokeLoader, marking a significant step in combating global cybercrime.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Privateloader
2
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
Gozi Isfb
2
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
Pikabot
2
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Rescoms
1
Rescoms, a malicious software (malware), has been widely used by threat actors in various information-stealing campaigns. According to an ESET report, the malware was distributed using Rugmi, which contains a downloader for the encrypted payload and two other loaders. The malware was used alongside
Azorult
1
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
Batloader
1
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
Netwalker
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Payload
Phishing
Botnet
Loader
Remcos
Dropper
Windows
Police
Financial
Exploits
Decoy
Smishing
Proxy
Extortion
t1566.001
t1204.002
t1055.002
Encryption
Telegram
Ukraine
Fortiguard
Vmware
Flashpoint
CISA
Blackberry
Cobalt Strike
Maas
Backdoor
Exploit
Rat
Ransomware P...
Loader Malware
Downloader
Trojan Malware
Cybercrime
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PhobosUnspecified
5
Phobos is a type of malware, specifically ransomware, that can infiltrate a computer system or device through suspicious downloads, emails, or websites. Once installed, it can cause significant harm by stealing personal information, disrupting operations, or even holding data hostage for ransom. Its
TrickBotUnspecified
3
TrickBot is a form of malware, or malicious software, that infiltrates systems to exploit and damage them. It can enter your system via dubious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot can steal personal information, disrupt operations, or even hold d
Redline StealerUnspecified
3
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
AmadeyUnspecified
3
Amadey is a type of malware that has been identified as part of a complex network of malicious software used to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage fo
SystembcUnspecified
3
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
VenomratUnspecified
2
VenomRAT is a malicious software (malware) that has been discovered by security researchers at Palo Alto Networks. The malware targets the CVE-2023-40477 vulnerability in WinRAR, a widely used file archiver utility for Windows. A new campaign associated with this malware uses a deceptive proof-of-co
ZloaderUnspecified
2
ZLoader is a sophisticated malware that has been causing significant cybersecurity concerns. It was resurrected around September 2023 after nearly two years of inactivity, and since then, it has continued to evolve. The latest version, 2.4.1.0, introduces an anti-analysis feature which prevents the
IcedIDUnspecified
2
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
BumblebeeUnspecified
2
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
ScrubcryptUnspecified
2
ScrubCrypt is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage fo
RedlineUnspecified
1
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
RootsawUnspecified
1
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which exec
Agent TeslaUnspecified
1
Agent Tesla is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates the system often without the user's knowledge via suspicious downloads, emails, or websites, with the capability to steal personal information, disrupt operations, or hold data for
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
RomComUnspecified
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
RhadamanthysUnspecified
1
Rhadamanthys is a type of malware that has been utilized by cybercriminal group TA547 in targeted attacks against German organizations. This malicious software, designed to exploit and damage computer systems, typically infiltrates systems via suspicious downloads, emails, or websites. Once inside,
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
BokbotUnspecified
1
BokBot, also known as IcedID or Anubis, is a type of malware first discovered by X-Force in September 2017. It's a banking trojan that has been widely used in cybercrime operations to steal sensitive information such as banking credentials from infected computers. The malware infects systems through
LokibotUnspecified
1
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
MiraiUnspecified
1
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
SnatchUnspecified
1
Snatch is a type of malware, specifically ransomware, known for its malicious activities. Ransomware is a harmful program designed to exploit and damage computer systems or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains
Bad RabbitUnspecified
1
Bad Rabbit is a notorious malware that emerged in October 2017, primarily targeting corporate networks. It operates as ransomware, encrypting the victim's files and disk while offering a means of decryption for a ransom. The malicious software uses fake Adobe Flash installer advertisements to lure v
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
DreambotUnspecified
1
Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
ElkingUnspecified
1
Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio
FaustUnspecified
1
Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from For
AcecryptorUnspecified
1
AceCryptor is a prevalent malware crypter in the current digital landscape, recognized for its ability to help other malicious software evade detection. In recent research, we've identified 279 domains hosted on dedicated AceCryptor IP addresses, with 17 of these domains flagged as malicious by bulk
Vidar StealerUnspecified
1
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
BatcloakUnspecified
1
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
UrsnifUnspecified
1
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) that targets computer systems to exploit and damage them, often infiltrating the system without the user's knowledge through suspicious downloads, emails, or websites. The malware operates by loading an executable which unpacks a DLL in memory, subsequently
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
8baseUnspecified
3
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
APT29Unspecified
1
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
Gossamer BearUnspecified
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Apt44Unspecified
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
Winter VivernUnspecified
1
Winter Vivern is a threat actor, or malicious entity, that has recently come to attention due to its exploitation of a zero-day vulnerability in the Roundcube webmail software. This advanced persistent threat (APT) group has been associated with several cyber-attacks and appears to be aligned with t
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
GamaredonUnspecified
1
Gamaredon, a threat actor or Advanced Persistent Threat (APT) believed to be of Russian origin, has been actively executing malicious activities primarily against Ukraine since 2013. The group is known for its deployment of home-brewed malware through malicious documents, with the European Union's C
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
GandcrabUnspecified
1
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Smokeloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
13 days ago
Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc
DARKReading
a month ago
Europol's Hunt Begins for Emotet Malware Mastermind
Securityaffairs
a month ago
Security Affairs newsletter Round 474 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
a month ago
European Police Take Down Botnet Servers, Make Arrests
Securityaffairs
a month ago
Operation Endgame, the largest law enforcement operation ever against botnets
Securityaffairs
2 months ago
CERT-UA warns of malware campaign conducted by threat actor UAC-0006
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
ESET
4 months ago
Rescoms rides waves of AceCryptor spam
CERT-EU
4 months ago
Threat actors are turning to novel malware as malicious attacks rise
CERT-EU
4 months ago
Phobos Unleashed: Navigating the Maze of Ransomware’s Ever-Evolving Threat
BankInfoSecurity
a year ago
New Ransomware Actor 8Base Rivals LockBit in Extortion
CERT-EU
4 months ago
CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
4 months ago
Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs
4 months ago
US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU
4 months ago
SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
DARKReading
4 months ago
FBI, CISA Release IoCs for Phobos Ransomware
CERT-EU
4 months ago
FBI, CISA Release IoCs for Phobos Ransomware | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
CERT-EU
4 months ago
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting