Threat Research

SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks....

In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader....

On May 22, 2025, Our team revealed further actions tied to Operation Endgame, aimed at disrupting cybercriminal groups like those behind DanaBot. This follows the original 2024 effort that targeted malware such as SmokeLoader, IcedID, and Pikabot....

The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered....

"GetSmoked: UAC-0006 Returns with SmokeLoader Targeting Ukraine's Largest State-Owned Bank" highlights a phishing campaign by the financially motivated threat actor UAC-0006, aimed at customers of PrivatBank, Ukraine’s largest state-owned bank....

In September 2024, Threat Hunting team uncovered a 7-Zip zero-day vulnerability (CVE-2025-0411) exploited in a SmokeLoader malware campaign targeting Ukrainian entities. The vulnerability was reported to 7-Zip creator Igor Pavlov, resulting in a patch released in version 24.09 on November 30, 2024....

In September 2024, observed an attack leveraging the notorious SmokeLoader malware to target companies in Taiwan across sectors like manufacturing, healthcare, and IT. Known for its versatility and advanced evasion techniques, SmokeLoader’s modular design enables a variety of attacks....