SmokeLoader Employs Optional Plugins to Steal Data and Launch DoS Attacks

Active since 2011, SmokeLoader (also known as Smoke or Dofoil) has cemented its reputation as a versatile malware loader engineered to deliver second-stage payloads, including trojans, ransomware, and information stealers.

Over the years, it has evolved to evade detection and optimize payload delivery, extending its reach through an extensible plugin framework capable of credential harvesting, browser hijacking, cryptocurrency mining, and more.

Following Operation Endgame in May 2024—an international law enforcement and private-industry effort that eradicated many SmokeLoader instances—activity waned until early 2025, when Zscaler ThreatLabz discovered a new “2025 alpha” variant.

By July 2025, the malware’s author advertised an updated edition on a cybercriminal forum, and ThreatLabz soon identified a further variant, hereafter referred to as version 2025, distinguished by bug fixes and a modified network protocol

SmokeLoader’s primary function remains the reliable download and execution of secondary malware. Its modular design, however, transforms it into a multifunctional threat.

The stager component initially bypasses analysis environments, terminates if virtualization is detected, and injects the main module into explorer.exe.

Once resident, the main module establishes persistence via scheduled tasks, beacons to a command-and-control (C2) server, and orchestrates plugin execution.

Optional modules include data exfiltration tools to harvest credentials and system information, distributed denial-of-service (DDoS) attack utilities to overwhelm targeted endpoints, and cryptocurrency miners that leverage idle CPU cycles.

This plugin architecture allows threat actors to tailor SmokeLoader deployments to specific objectives and adapt rapidly to evolving operational needs.

Bug Fixes and Technical Enhancements

Earlier SmokeLoader versions (2018–2022) suffered from performance-degrading bugs, notably a scheduled task that re-injected the main module every ten minutes without checking for an existing instance, causing memory bloat and thread proliferation in explorer.exe.

Version 2025 alpha introduces a mutex check within the stager, preventing redundant injections.

The mutex naming scheme changed from a fixed-length uppercase hexadecimal string to a variable-length lowercase alphabetic identifier generated via a pseudo-random algorithm seeded with the bot ID.

Anti-analysis threads now spawn only after mutex verification, eliminating unnecessary thread creation on patched systems.

Further refinements appear in version 2025. The stager implements a new decryption function that modifies each byte of encrypted code by adding a hardcoded constant before execution, dynamically computes relative virtual addresses (RVAs) with XOR operations, and employs 64-bit shellcode for injection.

In the main module, constant values—including API flags and version identifiers—are obfuscated via XOR with per-sample keys.

Version 2025 also introduces a keyboard-layout check in the main module: it aborts execution if the victim’s layout indicates a Russian locale, echoing an earlier check in the stager but adding redundancy at the main module level.

In version 2025, constants are obfuscated such as the value 0xF001F (SECTION_ALL_ACCESS) that is passed to the function NtCreateSection.

Additionally, the file-mapping name used for interprocess communication now derives from an MD5 hash of the bot ID rather than appending “FF” characters.

Network Protocol Changes

The protocol underpinning SmokeLoader’s C2 communications remained unchanged in version 2025 alpha relative to version 2022, but version 2025 updates the two-byte version field to 2025 (0x07E9) and prepends a four-byte CRC32 checksum at offset two to authenticate packet payloads.

The response format’s initial length field is now obfuscated with the RC4 key, complicating passive interception and analysis.

ThreatLabz’s telemetry indicates that version 2025 alpha currently predominates, likely owing to its compatibility with legacy C2 panels.

However, version 2025’s bug fixes, enhanced obfuscation, and protocol hardening make it a strong candidate for broader criminal adoption.

SmokeLoader remains in active use by multiple threat groups, demonstrating the resilience of loader-based malware ecosystems despite coordinated disruption efforts.

SmokeLoader’s enduring evolution underscores the adaptability of modular malware frameworks.

While Operation Endgame delivered a temporary setback, the emergence of version 2025 alpha and version 2025—with their performance fixes, improved stealth, and protocol enhancements—signals that SmokeLoader will remain a potent loader for illicit payloads.

Organizations must maintain robust detection and response measures, including behavioral monitoring to flag anomalous scheduled tasks and mutex-based injections, to mitigate the ongoing threat posed by this enduring malware.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.