Smokeloader

Malware updated 23 days ago (2024-11-29T13:45:11.065Z)
Download STIX
Preview STIX
SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functionality to download the Phobos payload and exfiltrate data from compromised systems. These actors often embed the ransomware as a hidden payload using SmokeLoader, which can be delivered through suspicious downloads, emails, or websites. The threat actors also use SmokeLoader to inject code into running processes, identifying an entry point through enabling a VirtualAlloc or VirtualProtect process. Alternatively, they send spoofed email attachments embedded with hidden payloads such as SmokeLoader. Between May 27 and 29, 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers like SmokeLoader. This operation resulted in the dismantling of dropper botnet infrastructure that supported initial-access Trojan malware strains, including IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot. Eight Russian nationals, including Airat Gruber, the suspected admin of SmokeLoader, were added to the list of Europe's most wanted fugitives for their roles behind developing these botnets. In addition to SmokeLoader, Phobos intrusions have involved the use of various open-source tools, including Cobalt Strike and Bloodhound. The government reported at least two massive campaigns since May 20, where threat actors aimed at distributing SmokeLoader malware via email. The malware used in these campaigns includes information stealers such as Mystic Stealer, Rise Pro, and Redline; and loaders such as SmokeLoader and Amadey. As a result of these activities, CERT-UA issued a warning about an increase in cyberattacks targeting Ukrainian finances with SmokeLoader malware.
Description last updated: 2024-11-21T10:26:22.055Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Privateloader is a possible alias for Smokeloader. PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
2
Pikabot is a possible alias for Smokeloader. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further malici
2
Gozi Isfb is a possible alias for Smokeloader. Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
2
IcedID is a possible alias for Smokeloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Payload
Phishing
Botnet
Downloader
Dropper
Loader
Remcos
Windows
Fortiguard
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Phobos Malware is associated with Smokeloader. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing Unspecified
5
The Redline Stealer Malware is associated with Smokeloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
3
The Systembc Malware is associated with Smokeloader. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
3
The TrickBot Malware is associated with Smokeloader. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
3
The Amadey Malware is associated with Smokeloader. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
3
The Zloader Malware is associated with Smokeloader. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal informUnspecified
2
The Redline Malware is associated with Smokeloader. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
2
The Bumblebee Malware is associated with Smokeloader. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee havUnspecified
2
The Venomrat Malware is associated with Smokeloader. VenomRAT is a sophisticated piece of malware that was discovered by security researchers, designed to exploit and damage computer systems. The malicious software infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal Unspecified
2
The Scrubcrypt Malware is associated with Smokeloader. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disruptUnspecified
2
The Lockbit Malware is associated with Smokeloader. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The 8base Threat Actor is associated with Smokeloader. 8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base oUnspecified
3
Source Document References
Information about the Smokeloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
21 hours ago
Securityaffairs
12 days ago
Fortinet
20 days ago
InfoSecurity-magazine
20 days ago
Securityaffairs
a month ago
Securityaffairs
2 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
DARKReading
6 months ago
DARKReading
7 months ago
Securityaffairs
7 months ago
BankInfoSecurity
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Flashpoint
7 months ago
ESET
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
a year ago
CERT-EU
10 months ago