A detailed technical analysis of Smoke malware loader, also known as SmokeLoader or Dofoil, which has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads like trojans, ransomware, and information stealers, and can also deploy custom plugins for various malicious activities. The analysis covers Smoke's persistence mechanisms, network communication, and remote cleanup process, and how the international law enforcement operation 'Endgame' disrupted its infrastructure and remotely uninstalled the malware.