{
	"id": "ed448aec-e067-45e3-810d-bd94c4b5823e",
	"created_at": "2026-04-06T00:13:10.126371Z",
	"updated_at": "2026-04-10T03:31:13.715104Z",
	"deleted_at": null,
	"sha1_hash": "1266ace40ef35f924773abcac8ac6cab47d90885",
	"title": "A peek inside the Smoke Malware Loader - Webroot Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1508469,
	"plain_text": "A peek inside the Smoke Malware Loader - Webroot Blog\r\nBy Blog Staff\r\nPublished: 2012-02-04 · Archived: 2026-04-05 16:08:20 UTC\r\nA peek inside the Smoke Malware Loader\r\nby | Feb 3, 2012 | Threat Lab\r\nReading Time: ~ 3 min.\r\nThe competitive arms race between security vendors and malicious cybercriminals constantly produces new\r\ndefensive mechanisms, next to new attack platforms and malicious tools aiming to efficiently exploit and infect as\r\nmany people as possible.\r\nContinuing the “A peek inside…” series, in this post I will profile yet another malware loader. This time it’s the\r\nSmoke Malware Loader.\r\nThe Smoke Malware Loader is  a modular malware loader, that comes with several different modules based on\r\nhow much is the customer willing to spend.\r\nSome of its features include:\r\n– Progressive download different EXE and run *\r\n– Geo-targeting (download only for specific countries)\r\n– The ability to download files via a URL\r\n– Startup and invisible work (Masked by a trusted process) **\r\n– Detailed statistics on jobs- Self-renewal through the bot’s admin panel (locally or remotely) **\r\n– Protection against loss by blocking bots domain **\r\n– The small size of the loader ~ 12.6 kb ***\r\n– Ability to use Builder for “sellers” (more accurate statistics)\r\n– Statistics on re-launching (useful for assessing the quality of downloads, or traffic) **\r\n– “Guest” access to the statistics- Easy kriptovka (does not contain any additional dll, overlays, etc.)\r\nScreenshots of the command and control interface:\r\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 1 of 7\n\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 2 of 7\n\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 3 of 7\n\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 4 of 7\n\nThe modular Smoke Malware loader comes with two additional modules. The first module steals passwords from\r\npopular applications, and sends them back to the malicious attackers. The second module is a SOCKS-connection\r\nmodule, turning malware-infected hosts into stepping stones for anonymizing a cybercriminal’s online\r\nactivities.\r\nThe first module successfully steals passwords from the following applications:\r\n32bit FTP\r\nBitKinex\r\nBulletProof FTP Client\r\nClassic FTP\r\nCoffeeCup FTP\r\nCore FTP\r\nCuteFTP\r\nDirectory Opus\r\nExpanDrive\r\nFAR Manager FTP\r\nFFFTP\r\nFileZilla\r\nFlashFXP\r\nFling\r\nFreeFTP/DirectFTP\r\nFrigate3 FTP\r\nFTP Commander\r\nFTP Control\r\nFTP Explorer\r\nFTP Navigator\r\nFTP Uploader\r\nFTPRush\r\nLeapFTP\r\nNetDrive\r\nSecureFX\r\nSmartFTP\r\nSoftX FTP Client\r\nTurboFTP\r\nUltraFXP\r\nWebDrive\r\nWebSitePublisher\r\nWindows/Total Commander\r\nWinSCP\r\nWS_FTP\r\nAnd from the following browsers:\r\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 5 of 7\n\nApple Safari\r\nFlock\r\nGoogle Chrome\r\nInternet Explorer\r\nMozilla Browser\r\nMozilla Firefox\r\nMozilla Thunderbird\r\nOpera\r\nSeaMonkey\r\nThe full version of the passwords grabber also works on the following IM applications:\r\n\u0026RQ\r\nAIM Pro\r\nDigsby\r\nExcite Private Messenger\r\nFaim\r\nGAIM\r\nGizmo Project\r\nGoogle Talk\r\nICQ/AIM\r\nICQ2003/Lite\r\nICQ99b-2002\r\nIM2 (Messenger 2)\r\nJAJC\r\nMiranda\r\nMSN Messenger\r\nMySpaceIM\r\nOdigo\r\nPaltalk\r\nPandion\r\nPidgin\r\nPSI\r\nQIP\r\nQIP.Online\r\nSIM\r\nTrillian\r\nTrillian Astra\r\nWindows Live Messenger\r\nYahoo! Messenger\r\nAnd how about the price? The price for the Smoke Malware Loader, including and excluding various modules is\r\nas follows:\r\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 6 of 7\n\n– Only the loader (the non-resident version) – 150 WMZ\r\n– Only the loader (TSR version) – 250 WMZ\r\n– Grabber LITE – 100 WMZ **\r\n– Grabber FULL – 150 WMZ **\r\n– SOCKS-module – 50 WMZ (version without bekkonekta) **\r\n– HOSTS-module – 25 WMZ **\r\n– Rebild loader – 10 WMZ\r\n– Update: minor fixes – for free, the rest is discussed separately\r\n– Can build to suit your needs grabber\r\nThe modular nature of the Smoke Malware Loader allows the seller of the bot to come up with flexible pricing\r\nplans, potentially lowering down the entry barriers into this market segment. The bot’s password grabbing\r\nfunctionality is a great reminder of how you shouldn’t save your passwords in the browser, as they become\r\nsusceptible to extraction techniques like the ones used by the Smoke Malware Loader.\r\nUse a third-party password managing tool, like Webroot’s Password Manager for instance.\r\nRelated posts:\r\nA peek inside the uBot malware bot\r\nA peek inside the PickPocket Botnet\r\nA peek inside the Cythosia v2 DDoS Bot\r\nA peek inside the Umbra malware loader\r\nYou can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.\r\nBlog Staff\r\nAbout the Author\r\nBlog Staff\r\nThe Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home\r\nor business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s\r\ncyber threats.\r\nSource: https://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nhttps://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/"
	],
	"report_names": [
		"a-peek-inside-the-smoke-malware-loader"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434390,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1266ace40ef35f924773abcac8ac6cab47d90885.pdf",
		"text": "https://archive.orkl.eu/1266ace40ef35f924773abcac8ac6cab47d90885.txt",
		"img": "https://archive.orkl.eu/1266ace40ef35f924773abcac8ac6cab47d90885.jpg"
	}
}