Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
34
Global rank
26 infographic chevron month
Month rank
21 infographic chevron week
Week rank
0
IOCs

The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions.

Loader
Type
ex-USSR territory
Origin
30 August, 2011
First seen
25 October, 2025
Last seen
Also known as
Dofoil

How to analyze Smoke Loader with ANY.RUN

Type
ex-USSR territory
Origin
30 August, 2011
First seen
25 October, 2025
Last seen

IOCs

Hashes
a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab
831890c5dae911036233eccb29c335cc013affe4bcb77104a7c05374d8fffebb
Domains
support.microsoft.com
prolinice.ga
connecticutproperty.ru
kiyanka.club
ghjk78kjhb.net
brawlhalla.ru
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 294
comments 0
post image
ANY.RUN & ThreatQ: Boost Detection Rate,...
watchers 356
comments 0
post image
No Threats Left Behind: SOC Analyst’s Guide t...
watchers 504
comments 0

What is Smoke Loader?

Smoke Loader, sometimes also called Dofoil, is a modular malware mainly utilized to download other viruses to infected machines. Despite its loader nature, the Smoke Loader bot can be equipped with a variety of malicious functions. Most of these functions are targeted at stealing sensitive data from the victims.

Smoke Loader was first observed in the wild in 2011. It was seen being sold on underground portals grabberz[.]com and xaker[.]name by a member named SmokeLdr. The malware functionality varies from one attack to the other and depends on the choice of modules done by the attackers.

Despite its old age, Smoke Loader continues to be an active threat even to this day. In particular, this malware was featured in RigEK and MalSpam campaigns. It should be noted that after March 2014, Smoke Loader is sold only to Russian-speaking attackers.

General description of Smoke Loader

The main functions of Smoke Loader include loading up to ten executable files and run them, geo-target the victims to direct attacks at specific countries, load files via URLs, mimic legitimate processes, and provide detailed summaries on installs and launches.

The two optional modules allow Smoke Loader to expand its feature set with information-stealing functions. This allows Dofoil to grab passwords from widely used mail clients, FTP clients, and programs like TeamViewer. The malware can send the data to the C2 for the attacker.

The Smoke Loader virus has been evolving over the years. According to the research of a cybersecurity professional, a late 2018 sample included an array of anti-debugging techniques far more complex than anything present in the early iterations of the malware. For instance, the 2018 Smoke Loader version learned to check if it is being launched in the virtual environment. It also learned to discover and immediately kill any analyzing tools running on the machine. Together, these features make the analysis of the Dofoil malware highly complicated. Dofoil also relies a lot on the process hollowing technique, targeting mostly Explorer.exe.

What’s more, while a lot of malware in the wild need to iterate through a list of processes to find their injection target, thus allowing researchers to discover them, Smoke Loader manages to avoid this behavior and stay hidden by calling the Windows API GetShellWindow to access the shell’s desktop window, and evoke GetWindowThreadProcessId to obtain the process ID of Explorer.exe.

To further confuse security researchers, all Smoke Loader functions contain pointless instructions. At the same time, the library names are encrypted with a hardcoded key. Instructions are not coded in a standard way. Instead, they are mixed with jump instructions. Most of this code reroutes the program flow to create confusion when Dofoil is debugged.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Malware analysis of Smoke Loader

A video recorded in the ANY.RUN malware hunting service displays the execution process of Smoke Loader. It allows examining the malware in a convenient and safe environment.

smokeloader execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the smokeloader malware analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

Smoke Loader execution process

So, how does Smoke Loader work? Because the most common vector of attack to infect users' devices are malicious spam campaigns, Smoke Loader trojan mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware drops to a machine from it.

After that, SmokeLoader injects malicious code into system processes like explorer.exe. An injected process then starts the main malicious activity.

Distribution of Smoke Loader

The smoke Loader virus makes its way to machines as a malicious Microsoft Word attachment. It is initially delivered to users in spam email campaigns. Attackers use social engineering to trick potential victims into downloading the attached file and enabling the macros, the same scenario is applied by Ave Maria and Revenge.

This makes contamination prevention fairly simple. Users are advised to stay clear of downloading files from suspicious emails and keep macros disabled. And especially, never enable them if prompted by a downloaded file.

How Smoke Loader communicates with C&C?

Smoke Loader malware tries to hide its malicious nature. This is done by mixing infrequent requests to legitimate websites into C&C communication. The virus connects to websites such as Microsoft.com and Adobe.com. Despite receiving mainly HTTP 404 in requests, data is still evident in the response body.

How to detect Smoke Loader using ANY.RUN?

Since SmokeLoader almost always infects systems using similar attack vectors, it can be identified using its execution process. After the executable file, which contains Smoke Loader, has been delivered in the system and launched, it injects its code into the system process like "explorer.exe."

This means that if, after some time following the execution of a sample, an "explorer.exe" process appears, it is time to look into it. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. If in the event section you see that previously injected "explorer.exe" create a file named "tesrdgeh.exe," it is a clear indication that you are dealing with Smoke Loader trojan.

SmokeLoader created a file Figure 3: Injected explorer.exe created file tesrdgeh.exe

Summary

Despite being rather old, the Dofoil virus is only gaining popularity. Since its first surfacing in 2011, the malware remains a highly active and elusive threat, not due to its advanced anti-evasion functions. In addition to being used as a loader and installing potentially more dangerous malware.

What’s more, Smoke Loader itself can be used to pull sensitive information from infected machines and conduct destructive, malicious campaigns.

Thankfully, advanced malware hunting services such as ANY.RUN allows us to bypass some of the anti-evasion tricks implemented by the Smoke Loader creators and successfully conduct the analysis of this virus.

HAVE A LOOK AT

Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More
EvilProxy screenshot
EvilProxy
evilproxy
EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More