Date: 09/16/2025
Severity: Medium
Summary
SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks. Recently, two new versions—2025 alpha and 2025—have emerged, actively used by multiple threat groups. These updates fix performance issues and include improvements to evade both static and behavioral detection, marking a significant evolution in the malware’s capabilities.
Indicators of Compromise (IOC) List
URL/Domain | http://ardt.info/tmp/ http://disciply.nl/tmp/ http://e-bonds.ru/tmp/ http://cobyrose.com/tmp/ http://dfbdw3tyge.info/tmp/ http://cusnick.com/tmp/ http://dfbdw3tyge.info/tmp http://es-koerier.nl/tmp/ http://solanges.info/tmp/ http://udlg.nl/tmp/ http://ownmbaego.com/index.php https://ownmbaego.com/index.php http://176.46.152.46/ http://178.16.53.7/ |
Hash | fe18dba2d72ccf4a907d07674b18d1bc23e3ea10f66cbf2a79e73000df43b358
d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
413325dfeddf2287f86ca9998c1f6be2942145a647a14f1bfe1390e738adae61
d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30
0b06c6a25000addde175277b2d157d5bca4ab95cbfe3d984f1dba2ecefa3a4cd
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://ardt.info/tmp/" or siteurl like "http://ardt.info/tmp/" or url like "http://ardt.info/tmp/" or domainname like "http://disciply.nl/tmp/" or siteurl like "http://disciply.nl/tmp/" or url like "http://disciply.nl/tmp/" or domainname like "http://e-bonds.ru/tmp/" or siteurl like "http://e-bonds.ru/tmp/" or url like "http://e-bonds.ru/tmp/" or domainname like "http://cobyrose.com/tmp/" or siteurl like "http://cobyrose.com/tmp/" or url like "http://cobyrose.com/tmp/" or domainname like "http://dfbdw3tyge.info/tmp/" or siteurl like "http://dfbdw3tyge.info/tmp/" or url like "http://dfbdw3tyge.info/tmp/" or domainname like "http://cusnick.com/tmp/" or siteurl like "http://cusnick.com/tmp/" or url like "http://cusnick.com/tmp/" or domainname like "http://dfbdw3tyge.info/tmp" or siteurl like "http://dfbdw3tyge.info/tmp" or url like "http://dfbdw3tyge.info/tmp" or domainname like "http://es-koerier.nl/tmp/" or siteurl like "http://es-koerier.nl/tmp/" or url like "http://es-koerier.nl/tmp/" or domainname like "http://solanges.info/tmp/" or siteurl like "http://solanges.info/tmp/" or url like "http://solanges.info/tmp/" or domainname like "http://udlg.nl/tmp/" or siteurl like "http://udlg.nl/tmp/" or url like "http://udlg.nl/tmp/" or domainname like "http://ownmbaego.com/index.php" or siteurl like "http://ownmbaego.com/index.php" or url like "http://ownmbaego.com/index.php" or domainname like "https://ownmbaego.com/index.php" or siteurl like "https://ownmbaego.com/index.php" or url like "https://ownmbaego.com/index.php" or domainname like "http://176.46.152.46/" or siteurl like "http://176.46.152.46/" or url like "http://176.46.152.46/" or domainname like "http://178.16.53.7/" or siteurl like "http://178.16.53.7/" or url like "http://178.16.53.7/" |
Detection Query 2 : | sha256hash IN("fe18dba2d72ccf4a907d07674b18d1bc23e3ea10f66cbf2a79e73000df43b358","d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1","413325dfeddf2287f86ca9998c1f6be2942145a647a14f1bfe1390e738adae61","d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30","0b06c6a25000addde175277b2d157d5bca4ab95cbfe3d984f1dba2ecefa3a4cd")
|
Reference:
https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes#introduction