Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 5 actorsExploits 3 CVEs

SMOKELOADER

Also known asDofoil

SmokeLoader is a modular loader and generic backdoor/botnet platform active since at least 2011 and used primarily to deliver additional malware. It is also referred to as Dofoil, Smoke Loader, and Smoke Bot. The malware is associated with the cybercrime group SMOKEY SPIDER, which has operated it as a malware distribution service for payloads including DanaBot, TrickBot, and QakBot. Reporting in the provided content describes SmokeLoader as versatile, modular, and using advanced evasion techniques.

Observed capabilities in the content include credential theft and loader functionality. SmokeLoader searches for browser credential stores, including files named logins.json, and has been noted searching for credentials stored by web browsers. It has also been reported to inject into the Internet Explorer process and to establish persistence by launching a scheduled task. Recent sandboxed SmokeLoader-related samples were described as harvesting browser credentials, stealing email client data, accessing cryptocurrency wallets, and enumerating software and processes. A March 2026 campaign also used a Go-based loader with browser credential harvesting, cryptocurrency wallet discovery, and process enumeration before deploying a SmokeLoader Remus plugin. The Remus plugin configuration extracted from that campaign showed capabilities for screenshot capture, clipboard theft, WMI-based profiling, machine identification, user enumeration, and likely privilege-related operations; it communicated with a C2 at baxe[.]pics:48261 and used a ChaCha20/Salsa20-style key schedule, with extracted key d16425ab2d021ae273d5fae993ce52a5aa61f379ade7bc27efd39d9bb3f46a55 and campaign ID e7d306351b2ed15ad158949881380114.

SmokeLoader appears across multiple delivery ecosystems and campaigns in the content. It was used in campaigns targeting Taiwanese manufacturing, healthcare, and information technology entities. BlackBerry reporting cited SmokeLoader among malware families targeting the healthcare sector. Qilin ransomware affiliates used SmokeLoader together with NETXLOADER in a November 2024 campaign. SmokeLoader was also observed in rotating lure campaigns alongside CountLoader and Vidar, in the Shanya campaign as a secondary loader, and in the Amadey fbf543 campaign distributing multiple malware families including Vidar, StealC, LummaStealer, Rhadamanthys, RemcosRAT, ValleyRAT, and XWorm. Breakglass Intelligence reported a GoLoader framework that delivered SmokeLoader among other families via DLL sideloading campaigns.

The content includes several infrastructure and IOC references tied to recent SmokeLoader activity. A March 2026 SmokeLoader sample with SHA256 bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958 resolved ropea.top, coox.live, and baxe.pics; used coox.live:28313 for TCP beaconing/check-in; and used baxe.pics:48261 for HTTP multipart/form-data exfiltration. Related reporting identified coox.live at 168.231.114.49 and baxe.pics at 65.21.104.235 in one investigation, while another March 2026 Remus-plugin investigation identified baxe[.]pics resolving to 15.235.192.42. WHOIS data for associated domains exposed the identifiers German Ingrmen / ingermany and email ingermany1@inbox.eu, though the reporting assessed that identity as likely fabricated. Additional extracted indicators include the Remus plugin sample SHA256 77a2c2761bd439548177a36b6a10d8979c0e41d2cf3c1c98329307cbe5251ab6 and MSI/loader hashes 8af75100ed69758e4da91255e0fae90f4ac40db2d1cfe52b9ea90c637ea30a82 and b93484fd64dee8ad3b45ddddcb58e54efaf751f33a12c8807f8d0765e8237337.

The content also notes broader ecosystem links: historical ties between LockBit infrastructure and SmokeLoader-associated infrastructure, and repeated use of SmokeLoader in financially motivated cybercrime operations. High-confidence targeting mentioned in the content includes healthcare, manufacturing, and information technology organizations, as well as use by ransomware affiliates and commodity malware distribution campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES
CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionExploited in the wild

The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to deploy SmokeLoader on the compromised host. | Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said.

via the hacker newsthehackernews.com
CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityExploited in the wild

Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said. | The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to deploy SmokeLoader on the compromised host.

via the hacker newsthehackernews.com
CVE-2025-04117-Zip Mark-of-the-Web Bypass VulnerabilityExploited in the wild

The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.

via cloudatg insightscloudatg.com
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Smokey Spider

SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.

via cisa advisoriescisa.gov
UAC-0006

We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application.

via breakglass intelintel.breakglass.tech
ingermany

A SmokeLoader sample (bac70244...3958, module name wallpapers) shares an identical obfuscation framework with Fuery.

via breakglass intelintel.breakglass.tech
LockBit

"LockBit Group uses #Smokeloader in their attacks"

via data breaches netdatabreaches.net
8Base

8Base: Leveraged phishing emails, initial access brokers, and tools like SmokeLoader for payload delivery.

via breached companybreached.company
MITRE ATT&CK

Techniques & procedures

29 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.003Virtual Private ServerEvidence1
TacticResource Development

MITRE ATT&CK T1583.003 — Virtual Private Server (PFCLOUD, ThinkHuge, OMEGATECH)

Initial Access

2 techniques
T1566PhishingEvidence1
TacticInitial Access

The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment...

T1566.001Spearphishing AttachmentEvidence2
TacticInitial Access

The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment...

Execution

3 techniques
T1053.005Scheduled TaskEvidence2
TacticsExecutionPersistencePrivilege Escalation

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

T1203Exploitation for Client ExecutionEvidence1
TacticExecution

...a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader...

T1204.002Malicious FileEvidence1
TacticExecution

Stage 2: MSI Installer The initial payload is an MSI installer... The MSI format provides a degree of legitimacy, as Windows users are accustomed to running installer packages.

Persistence

5 techniques
T1037Boot or Logon Initialization ScriptsEvidence1
TacticsPersistencePrivilege Escalation

Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.

T1037.001Logon Script (Windows)Evidence1
TacticsPersistencePrivilege Escalation

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

T1053.005Scheduled TaskEvidence2
TacticsExecutionPersistencePrivilege Escalation

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

T1112Modify RegistryEvidence1
TacticsPersistenceDefense Impairment

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

T1547.001Registry Run Keys / Startup FolderEvidence3
TacticsPersistencePrivilege Escalation

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Privilege Escalation

5 techniques
T1037Boot or Logon Initialization ScriptsEvidence1
TacticsPersistencePrivilege Escalation

Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.

T1037.001Logon Script (Windows)Evidence1
TacticsPersistencePrivilege Escalation

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

T1053.005Scheduled TaskEvidence2
TacticsExecutionPersistencePrivilege Escalation

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

T1055Process InjectionEvidence3
TacticsPrivilege EscalationStealth

While the stager's purpose is to decrypt, decompress, and inject the main module into an explorer.exe process...

T1547.001Registry Run Keys / Startup FolderEvidence3
TacticsPersistencePrivilege Escalation

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence5
TacticStealth

SmokeLoader detects analysis environments, generates fake network traffic, and obfuscates code to evade detection and hinder analysis...

T1036.005Match Legitimate Resource Name or LocationEvidence2
TacticStealth

MITRE ATT&CK Mapping Technique ID Name Context T1036.005 Masquerading: Match Legitimate Name or Location Education LMS as cover for C2 VPS

T1055Process InjectionEvidence3
TacticsPrivilege EscalationStealth

While the stager's purpose is to decrypt, decompress, and inject the main module into an explorer.exe process...

T1070.006TimestompEvidence1
TacticStealth

The compile timestamp is zeroed -- a deliberate anti-forensics measure. ... MITRE ATT&CK Mapping ... Defense Evasion Timestomp T1070.006 Zeroed PE compile timestamp

T1140Deobfuscate/Decode Files or InformationEvidence1
TacticStealth

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

SmokeLoader detects analysis environments, generates fake network traffic, and obfuscates code to evade detection and hinder analysis...

Defense Impairment

1 technique
T1112Modify RegistryEvidence1
TacticsPersistenceDefense Impairment

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Credential Access

3 techniques
T1539Steal Web Session CookieEvidence1
TacticCredential Access

The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies... from web browsers...

T1555Credentials from Password StoresEvidence3
TacticCredential Access

The malware supports several plugins that can steal login and FTP credentials... from web browsers, Outlook, Thunderbird, FileZilla, and WinSCP.

T1555.003Credentials from Web BrowsersEvidence1
TacticCredential Access

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

Discovery

2 techniques
T1012Query RegistryEvidence1
TacticDiscovery

Behavioral analysis from Triage sandbox ... revealed the SmokeLoader sample performing ... software/process enumeration (T1012).

T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

SmokeLoader detects analysis environments, generates fake network traffic, and obfuscates code to evade detection and hinder analysis...

Collection

2 techniques
T1005Data from Local SystemEvidence2
TacticCollection

The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies, and other information...

T1119Automated CollectionEvidence1
TacticCollection

MITRE ATT&CK Mapping Technique ID Name Context T1119 Automated Collection Cryptocurrency wallet, email client, browser credential harvesting

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

...it carries out the attack itself by downloading plugins from its [command-and-control] server.

T1071.001Web ProtocolsEvidence4
TacticCommand and Control

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

T1105Ingress Tool TransferEvidence4
TacticCommand and Control

...it carries out the attack itself by downloading plugins from its [command-and-control] server.

T1571Non-Standard PortEvidence1
TacticCommand and Control

The plugin communicates with baxe[.]pics on port 48261 over unencrypted HTTP...

T1573Encrypted ChannelEvidence1
TacticCommand and Control

The plugin communicates with baxe[.]pics on port 48261 over unencrypted HTTP, with payload encryption handled at the application layer via ChaCha20.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2
TacticExfiltration

HTTP POST: multipart/form-data to baxe.pics:48261 ... Outbound: 1,022,432 bytes (stolen data upload)

Impact

1 technique
T1498Network Denial of ServiceEvidence1
TacticImpact

...it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency.

INDICATORS OF COMPROMISE

IOCs tracked for this family

85 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
50 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
23 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
12 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in app16 days ago
ACTIVITY FEED

Recent activity

125 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

125 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Loader malware used in multiple campaigns.

Read more
watchguardNews
Apr 20, 2026
FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Named as one of the malware families previously delivered by the PanthomVAI loader.

Read more
synthient blogNews
Mar 30, 2026
ProxyBox: Socks5Systemz Lives On | Synthient

Referenced as an established loader malware family into which Socks5Systemz was integrated as a SOCKS5 proxy module.

Read more
breakglass intelNews
Mar 15, 2026
EssentialAcquisition: A Custom Go Financial Trojan Running Raft Consensus C2 on Kubernetes - Breakglass Intelligence - Breakglass Intelligence

Referenced as malware delivered by GoLoader and also as one of multiple unrelated campaigns using the Carbanak filename lure.

Read more
+115 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching85

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping29

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.