SmokeLoader (also known as Dofoil) is a highly prolific, modular Trojan downloader that has been active in the cybercriminal underground since at least 2011. It operates primarily as an Initial Access Broker (IAB) tool, designed to silently compromise a host, establish stealthy persistence, and "load" (download and execute) secondary, highly profitable malware payloads, such as enterprise ransomware, banking trojans (like TrickBot), or cryptocurrency miners. It is renowned for its aggressive anti-analysis and defense evasion techniques.
Infection Vector and Technical Capabilities
SmokeLoader is predominantly distributed through vast, automated spam campaigns (malspam) containing malicious ZIP attachments, macro-enabled Office documents, or via exploit kits hosted on compromised websites.
Upon execution, it exhibits advanced evasion and payload delivery:
PROPagate Injection: SmokeLoader is famous for utilizing the PROPagate (process hollowing/injection) technique, injecting its malicious code into legitimate, built-in Windows processes (like `explorer.exe`) to completely hide its execution from task managers and legacy AV.
Aggressive Anti-Analysis: The loader actively checks for signs it is running in a sandbox or virtual machine (VMware, VirtualBox). If a sandbox is detected, it terminates itself immediately. It also actively attempts to disable Windows Defender and other EDR sensors.
Plugin Architecture: Beyond its core downloader function, SmokeLoader can receive plugins from its Command and Control (C2) server. These plugins add specific capabilities, such as credential theft from browsers or executing distributed denial-of-service (DDoS) attacks.
Threat Assessment
A SmokeLoader detection is a critical, "Code Red" incident. Because it is a modular loader, the initial infection is rarely the endgame. If SmokeLoader successfully executes, it is almost certain that a devastating secondary payload (like Ryuk or Conti ransomware) is imminent.
Incident Response and Remediation
Immediate Network Isolation: The endpoint must be severed from the network instantly to prevent SmokeLoader from reaching its C2 server to download the secondary ransomware payload.
Memory Forensics: Because SmokeLoader injects deeply into `explorer.exe`, standard file scanning is insufficient. Incident responders must utilize memory forensics (e.g., Volatility) to identify and extract the injected payload from active RAM.
Total Re-imaging: Due to its deep system hooking and rootkit-like persistence, cleaning the machine is unreliable. A complete bare-metal wipe and re-image from a known-good baseline is required.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1055.002T1562.001T1059
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.