{
  "family": "smokeloader",
  "sample_count": 21,
  "category": "loader",
  "description": "SmokeLoader is a modular downloader and loader family active since 2011, used as a delivery vector for ransomware, banking trojans, information stealers, and cryptocurrency miners. Its plugin architecture allows operators to extend capability without redeploying the core. SmokeLoader is commonly distributed through exploit kits, malspam, and software cracks.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "smoke",
    "smokebot",
    "dofoil"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Smokeloader?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "SmokeLoader is a modular downloader and loader family active since 2011, used as a delivery vector for ransomware, banking trojans, information stealers, and cryptocurrency miners. Its plugin architecture allows operators to extend capability without redeploying the core. SmokeLoader is commonly distributed through exploit kits, malspam, and software cracks."
      }
    },
    {
      "@type": "Question",
      "name": "How does Smokeloader spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "SmokeLoader is a modular loader distributed through phishing, exploit kits, and pay-per-install affiliate networks, used to drop secondary payloads like AZORult, RedLine, and ransomware."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Smokeloader infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Outbound connections to known SmokeLoader C2 domains, secondary infections appearing shortly after initial compromise, and AV detections for SmokeLoader, Smoke, or Dofoil are indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Smokeloader on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1059.001",
    "T1547.001",
    "T1071.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}