Smokeloader

Malware updated a month ago (2024-08-13T10:18:03.688Z)

Download STIX

Preview STIX

Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim's knowledge. Once executed, Smokeloader injects malicious code into running processes, such as explorer.exe, and downloads additional payloads onto the system. It operates in conjunction with various open-source tools like Cobalt Strike and Bloodhound, and it can also be used to download the Phobos payload and exfiltrate data from compromised systems. The Phobos actors have been known to use Smokeloader to identify entry points into systems by enabling VirtualAlloc or VirtualProtect processes. In some instances, threat actors distribute Smokeloader via spoofed email attachments embedded with hidden payloads. The government experts have reported at least two massive campaigns since May 20 aimed at distributing this malware via email. Notably, Smokeloader was also used in conjunction with other information stealers like Mystic Stealer, Rise Pro, and Redline; and loaders like Amadey. A significant development occurred last month when Operation Endgame dismantled the infrastructure supporting initial-access Trojan malware strains, including Smokeloader. This operation disrupted five botnets, including IcedID and SmokeLoader, which are typically precursors to ransomware or other malware infections. Eight Russian nationals, including Airat Gruber, the suspected admin of Smokeloader, were added to Europe's most wanted fugitives list for their roles in developing these botnets. This coordinated action by European, British, and U.S. police marks a significant blow to the cybercrime ecosystem.

Description last updated: 2024-08-13T10:15:50.645Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Pikabot	2	PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have been
Gozi Isfb	2	Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
IcedID	2	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Privateloader	2	PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Payload

Phishing

Botnet

Loader

Remcos

Windows

Dropper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Phobos	Unspecified	5	Phobos is a type of malware, specifically ransomware, that infiltrates computer systems with the intent to disrupt operations, steal personal information, or hold data hostage for ransom. The malicious software can infect devices through suspicious downloads, emails, or websites, often without the u
TrickBot	Unspecified	3	TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
Redline Stealer	Unspecified	3	RedLine Stealer is a malicious software (malware) that infiltrates computer systems and devices, often unbeknownst to users. The malware can infect systems through suspicious downloads, emails, or websites, causing significant damage by stealing personal information, disrupting operations, or even h
Amadey	Unspecified	3	Amadey is a sophisticated malware that has been identified as being used in various malicious campaigns. The malware is typically delivered through GuLoader, a loader known for its use in protecting payloads against antivirus detection. Analysis of the infection chains revealed encrypted Amadey payl
Systembc	Unspecified	3	SystemBC is a type of malware, or malicious software, that has been heavily utilized in cyber-attacks and data breaches. Throughout 2023, it was frequently used in conjunction with other malware like Quicksand and BlackBasta by cybercriminals to exploit vulnerabilities in computer systems. Play rans
Zloader	Unspecified	2	ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal inform
Bumblebee	Unspecified	2	Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
Venomrat	Unspecified	2	VenomRAT is a sophisticated piece of malware that was discovered by security researchers, designed to exploit and damage computer systems. The malicious software infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal
Scrubcrypt	Unspecified	2	ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
8base	Unspecified	3	8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o

Source Document References

Information about the Smokeloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	CERT-UA warns of a phishing campaign targeting government entities
Securityaffairs	2 months ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	2 months ago	Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc
DARKReading	3 months ago	Europol's Hunt Begins for Emotet Malware Mastermind
Securityaffairs	3 months ago	Security Affairs newsletter Round 474 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	3 months ago	European Police Take Down Botnet Servers, Make Arrests
Securityaffairs	3 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
Securityaffairs	3 months ago	CERT-UA warns of malware campaign conducted by threat actor UAC-0006
Flashpoint	3 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
ESET	6 months ago	Rescoms rides waves of AceCryptor spam
CERT-EU	6 months ago	Threat actors are turning to novel malware as malicious attacks rise
CERT-EU	6 months ago	Phobos Unleashed: Navigating the Maze of Ransomware’s Ever-Evolving Threat
BankInfoSecurity	a year ago	New Ransomware Actor 8Base Rivals LockBit in Extortion
CERT-EU	6 months ago	CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	6 months ago	CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs	6 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU	6 months ago	SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
DARKReading	6 months ago	FBI, CISA Release IoCs for Phobos Ransomware
CERT-EU	6 months ago	FBI, CISA Release IoCs for Phobos Ransomware \| #ransomware \| #cybercrime \| National Cyber Security Consulting