Ddos 
Image: ThreatLabz
First emerging in 2011, SmokeLoader (also known as Smoke or Dofoil) has remained one of the most enduring malware loaders in the cybercriminal ecosystem. Despite being partially dismantled during the multinational Operation Endgame in 2024, ThreatLabz researchers now report that the malware is back with two new versions, bringing bug fixes, evasion upgrades, and enhanced plugin functionality.
In early 2025, ThreatLabz identified a rebuilt variant dubbed SmokeLoader 2025 alpha, followed by version 2025, which introduced further changes. The report notes, βSeveral months later, in July 2025, the author of SmokeLoader advertised a new version on a cybercriminal forum. Shortly thereafter, ThreatLabz identified an additional variant with more changes and a slightly modified network protocol that breaks compatibility with prior versions.β
Both versions were designed to correct critical flaws in earlier builds. Previous editions of SmokeLoader created severe performance issues by repeatedly injecting itself into memory every 10 minutes. ThreatLabz clarifies, βIn order to address these performance issues, the SmokeLoader developer added a new mutex check into the stagerβs code starting with version 2025 alpha.β
The new variants showcase incremental but impactful updates:
- Mutex-based injection control: Prevents redundant memory injection and stabilizes infected systems.
- Obfuscated constants: Both versions conceal key values through XOR-based encoding, complicating static analysis.
- Modified persistence: SmokeLoader now disguises scheduled tasks under names like MicrosoftEdgeUpdateTaskMachine%hs, abandoning its older βFirefoxβ disguise.
- Language-aware evasion: Version 2025 introduced a redundant but notable check to terminate if a Russian keyboard layout is detected.
- File mapping changes: Instead of appending βFFβ to bot IDs, version 2025 now hashes them with MD5 for unique identifiers.
ThreatLabz emphasizes that these adjustments reflect the developerβs ongoing efforts to evade both static and behavior-based detections.
The latest version also modifies how SmokeLoader communicates with its command-and-control (C2) servers. Version 2025 alpha continues to masquerade as version 2022 during beaconing, while version 2025 introduces subtle protocol changes, including CRC32 checksums and XOR-obfuscated C2 responses.
These changes may appear minor but serve two purposes: hindering analysis and breaking backward compatibility, potentially forcing threat actors to adopt the newest variant.
Despite the international takedown effort in 2024, SmokeLoader remains a fixture in the underground market. Its modularity allows operators to deploy plugins for credential theft, cryptocurrency mining, browser hijacking, and DDoS attacks. ThreatLabz warns, βDespite Operation Endgame, SmokeLoader continues to be updated and used by multiple threat groups.β
The report concludes that while 2025 alpha is currently the most widely used due to backward compatibility with older C2 panels, version 2025 is poised for wider adoption as criminals update their infrastructure.
To aid defenders, ThreatLabz has released SmokeBuster, a free remediation tool capable of detecting and removing infections from all SmokeLoader variants, including the latest builds.
Related Posts:
- SmokeLoader Malware Deployed in Stealthy Campaign Targeting Major Banks
- GitHub Abused in Amadey MaaS Campaign: Talos Uncovers Malware-as-a-Service Network Leveraging Public Repositories
- Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
- Cybersecurity Alert: Alpha Ransomware Mirrors NetWalker’s Tactics
- A Trojan in Disguise: New Python Package on PyPI Hides a Multi-Stage Malware Operation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
