← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Technical Analysis of SmokeLoader Version 2025
WHITE AlienVault 2025-09-16 Modified: 2025-10-16
40
IOCs
MEDIUM VOLUME
SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, modified mutex name generation, and updates to the main module. The network protocol has been slightly adjusted in version 2025, and the scheduled task name for persistence has been updated. These versions fix performance issues and include additional anti-analysis measures. Despite efforts to dismantle it, SmokeLoader continues to evolve and is used by multiple threat groups.
evasion techniquespersistenceanti-analysissmokedofoilsmokeloaderversion 2025malware loadernetwork protocolbug fixes
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
SmokeLoader Smoke Loader - S0226 Dofoil Smoke Loader - S0226 Dofoil
Indicators of Compromise (40)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 15b00779bb5d457e76712ec3dd196c46 2025-09-16
FileHash-MD5 2092e90739b3c899d1a4a45e3840bf2c 2025-09-16
FileHash-MD5 78748c62cecdba6c56d5ed4de64036ed 2025-09-16
FileHash-MD5 89212a84f1b81d0834edb03b16a9db49 2025-09-16
FileHash-MD5 9edbf77e52249cc7c179ed1334847cdb 2025-09-16
FileHash-MD5 d20d31a0e64cf722051a8fb411748913 2025-09-16
FileHash-MD5 e1484b39c54994e20a34d96f2322a103 2025-09-16
FileHash-SHA1 431d44995111a40b0f8934c2f6e2406119ceeb92 2025-09-16
FileHash-SHA1 4b37270aedc88397c027703f444ccaed9c23b862 2025-09-16
FileHash-SHA1 589b98dd21fff0fcebfd17d4817ffad2dd96c706 2025-09-16
FileHash-SHA1 6a38bf745dea8818ee00891231878b2a27a93293 2025-09-16
FileHash-SHA1 7fdc476edd2ebe427f19f8f091595079f7faf8df 2025-09-16
FileHash-SHA1 841182bc10f646793ce1faf433c4008c27550808 2025-09-16
FileHash-SHA1 9ec8489d90868416a2d4f90d38d3678d331bacb5 2025-09-16
FileHash-SHA256 32ba1f3b96cf77a08c041d4983d6afa7db8e1948d27d6a8dd55b7bb95e493189 2025-09-16
FileHash-SHA256 5727c2cd54b8408ca0f8e943cad61027a2c3d51da64f2f1224a6b9acc4820f8e 2025-09-16
FileHash-SHA256 7377efde4e4e86650ab8495f57ab4a76d4f8efe31e2962305b8c42a6cee70454 2025-09-16
FileHash-SHA256 c78bc4fb8955940b3ac9b52cb16744a61f8bdaf673fd64fc106465241c56cc6c 2025-09-16
FileHash-SHA256 d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30 2025-09-16
FileHash-SHA256 d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d 2025-09-16
FileHash-SHA256 fe18dba2d72ccf4a907d07674b18d1bc23e3ea10f66cbf2a79e73000df43b358 2025-09-16
FileHash-MD5 290d9e7e033e0b42baca7d072bb5959d 2025-09-16
FileHash-MD5 f2b790302bfb0e7f97f36a387eaeb227 2025-09-16
FileHash-SHA1 6d702fe228a47e01198fee387a2baecacac706f8 2025-09-16
FileHash-SHA1 cadbb262d5616e8188fd7857f84a0466fdcc58e6 2025-09-16
FileHash-SHA256 0b06c6a25000addde175277b2d157d5bca4ab95cbfe3d984f1dba2ecefa3a4cd 2025-09-16
FileHash-SHA256 413325dfeddf2287f86ca9998c1f6be2942145a647a14f1bfe1390e738adae61 2025-09-16
FileHash-SHA256 d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1 2025-09-16
URL http://ardt.info/tmp/ 2025-09-16
URL http://cobyrose.com/tmp/ 2025-09-16
URL http://cusnick.com/tmp/ 2025-09-16
URL http://dfbdw3tyge.info/tmp 2025-09-16
URL http://dfbdw3tyge.info/tmp/ 2025-09-16
URL http://disciply.nl/tmp/ 2025-09-16
URL http://e-bonds.ru/tmp/ 2025-09-16
URL http://es-koerier.nl/tmp/ 2025-09-16
URL http://ownmbaego.com/index.php 2025-09-16
URL http://solanges.info/tmp/ 2025-09-16
URL http://udlg.nl/tmp/ 2025-09-16
URL https://ownmbaego.com/index.php 2025-09-16
References (1)
↗ https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes