SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, modified mutex name generation, and updates to the main module. The network protocol has been slightly adjusted in version 2025, and the scheduled task name for persistence has been updated. These versions fix performance issues and include additional anti-analysis measures. Despite efforts to dismantle it, SmokeLoader continues to evolve and is used by multiple threat groups. Author: AlienVault
Related Tags:
network protocol
version 2025
smoke
Dofoil
Smoke Loader – S0226
malware loader
evasion techniques
anti-analysis
T1053.005
Associated Indicators:
7377EFDE4E4E86650AB8495F57AB4A76D4F8EFE31E2962305B8C42A6CEE70454
413325DFEDDF2287F86CA9998C1F6BE2942145A647A14F1BFE1390E738ADAE61
C78BC4FB8955940B3AC9B52CB16744A61F8BDAF673FD64FC106465241C56CC6C
5727C2CD54B8408CA0F8E943CAD61027A2C3D51DA64F2F1224A6B9ACC4820F8E
D5E20FC37DD77DD0360FD32446799978048A2C60E036DBFBF5E671333EBD81F1
32BA1F3B96CF77A08C041D4983D6AFA7DB8E1948D27D6A8DD55B7BB95E493189
D5EFD66F54DCE6B51870E40A458FA30DE366A2982AB2F83DDDFF5CB3349F654D
D38F9AB81A054203E5B5940E6D34F3C8766F4F4104B14840E4695DF511FEAA30
FE18DBA2D72CCF4A907D07674B18D1BC23E3EA10F66CBF2A79E73000DF43B358