SmokeLoader is a modular downloader and loader family active since 2011, used as a delivery vector for ransomware, banking trojans, information stealers, and cryptocurrency miners. Its plugin architecture allows operators to extend capability without redeploying the core. SmokeLoader is commonly distributed through exploit kits, malspam, and software cracks.
This family has been observed using the following ATT&CK techniques: T1059.001 T1547.001 T1071.001
SmokeLoader is a modular downloader and loader family active since 2011, used as a delivery vector for ransomware, banking trojans, information stealers, and cryptocurrency miners. Its plugin architecture allows operators to extend capability without redeploying the core. SmokeLoader is commonly distributed through exploit kits, malspam, and software cracks.
SmokeLoader is a modular loader distributed through phishing, exploit kits, and pay-per-install affiliate networks, used to drop secondary payloads like AZORult, RedLine, and ransomware.
Outbound connections to known SmokeLoader C2 domains, secondary infections appearing shortly after initial compromise, and AV detections for SmokeLoader, Smoke, or Dofoil are indicators.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/smokeloader.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.