Smokeloader

Category: loader · Aliases: Trojan.SmokeLoader, Downloader.Dofoil, Win32/SmokeLoader · Sample count (EMBER 2018): 21 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

SmokeLoader (also known as Dofoil) is a highly prolific, modular Trojan downloader that has been active in the cybercriminal underground since at least 2011. It operates primarily as an Initial Access Broker (IAB) tool, designed to silently compromise a host, establish stealthy persistence, and "load" (download and execute) secondary, highly profitable malware payloads, such as enterprise ransomware, banking trojans (like TrickBot), or cryptocurrency miners. It is renowned for its aggressive anti-analysis and defense evasion techniques.

Infection Vector and Technical Capabilities

SmokeLoader is predominantly distributed through vast, automated spam campaigns (malspam) containing malicious ZIP attachments, macro-enabled Office documents, or via exploit kits hosted on compromised websites. Upon execution, it exhibits advanced evasion and payload delivery:

Threat Assessment

A SmokeLoader detection is a critical, "Code Red" incident. Because it is a modular loader, the initial infection is rarely the endgame. If SmokeLoader successfully executes, it is almost certain that a devastating secondary payload (like Ryuk or Conti ransomware) is imminent.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1055.002 T1562.001 T1059

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SMOKELOADER {
    meta:
        description = "Detects Smokeloader (loader)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "smokeloader" ascii wide nocase
        $s2 = "trojan.smokeloader" ascii wide nocase
        $s3 = "downloader.dofoil" ascii wide nocase
        $s4 = "win32/smokeloader" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Smokeloader Activity
id: 886b44916f8e62d9a9da5f7a8b143fb8
status: experimental
description: Detects generic indicators of the smokeloader malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*smokeloader*"
            - "*trojan.smokeloader*"
            - "*downloader.dofoil*"
            - "*win32/smokeloader*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is SmokeLoader?

A loader whose main job is downloading and installing other malware; it is also known as Dofoil.

How does SmokeLoader avoid detection?

It employs anti-analysis and evasion techniques to hinder researchers and security tools.

What does SmokeLoader deliver?

A wide range of other malware families, depending on the operator using it.

How is SmokeLoader distributed?

Through phishing, exploit kits, and bundling with other malware.

Where is the authoritative reference?

MITRE ATT&CK's Smoke Loader entry (S0226), linked on this page.

Related Families (Category: loader)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/smokeloader.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.