{
	"id": "8fcadc91-fcfe-4e33-9958-87dbae00234e",
	"created_at": "2026-04-06T00:12:31.216719Z",
	"updated_at": "2026-04-10T03:20:38.091649Z",
	"deleted_at": null,
	"sha1_hash": "1839fe0967972ecc88db13ced8ff5dcbbdd114e3",
	"title": "SmokeLoader Malware Targets Ukraine’s Auto \u0026 Banking Sectors via Open Directories",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4493567,
	"plain_text": "SmokeLoader Malware Targets Ukraine’s Auto \u0026 Banking Sectors\r\nvia Open Directories\r\nPublished: 2025-02-06 · Archived: 2026-04-05 18:00:22 UTC\r\nTABLE OF CONTENTS\r\nSmokeLoader: A Brief OverviewOpen Directory Findings: What We DiscoveredFinal NoteConclusionNetwork\r\nObservables and Indicators of Compromise (IOCs)Host Observables and Indicators of Compromise\r\nHunt researchers identified an open directory hosting SmokeLoader samples alongside lure documents\r\ntargeting Ukraine's automotive and banking sectors. A second related directory contained the same malware\r\nbut with different lures, suggesting a broader campaign. The misconfigured servers exposed the staging and\r\ndistribution methods used in this campaign, offering direct insight into the threat actor's operational tactics.\r\nSmokeLoader remains a tool for cybercriminals and suspected Russian threat actors, often used for initial access\r\nbefore delivering secondary payloads such as credential stealers and remote access trojans (RATs). Recent reports\r\nhighlight its continued deployment in operations against Ukrainian organizations, reinforcing its role in both\r\ncybercrime and espionage-driven attacks.\r\nThe following sections examine the findings, analyze the malware and lure files, and break down the malicious\r\ninfrastructure supporting this activity.\r\nSmokeLoader: A Brief Overview\r\nFirst identified in 2011, SmokeLoader has evolved into a versatile and persistent threat in the cyber landscape.\r\nOriginally designed as a malware loader, it remains a preferred tool for adversaries due to its lightweight nature\r\nand ability to execute additional payloads on compromised systems. Its modular framework allows operators\r\nto tailor functionality, making it effective for both large-scale operations and more targeted intrusions.\r\nWhile SmokeLoader has long been associated with financially motivated campaigns, its presence in\r\noperations against Ukrainian organizations highlights its continued adaptability. Its obfuscation techniques and\r\nability to deliver a variety of secondary malware ensure it remains a reliable choice for threat actors looking to\r\nmaintain access, evade detection, and distribute additional payloads as needed.\r\nOpen Directory Findings: What We Discovered\r\nBrowsing Hunt's AttackCapture™ listing for recently scanned open directories, researchers identified an\r\nexposed server at 2.59.163[.]172, hosted on the Global Connectivity Solutions LLP network in Poland. The\r\ndirectory contained multiple Windows executables and PDF files labeled \"invoce,\" a likely misspelling of\r\n\"invoice.\" The file names suggest the actor leveraged financial-themed lures, a common tactic in phishing\r\ncampaigns.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 1 of 9\n\nAs shown in the figure below, Hunt automatically detected and tagged several of these files as SmokeLoader\r\nsamples. A subfolder named \"ukraine\" stands out, suggesting a deliberate focus on Ukrainian targets. The\r\ndirectory's structure and contents indicate it was set up to deliver malware rather than being an incidental\r\ncollection of files.\r\nFigure 1: Contents of the open directory at 2.59.163[.]72 in Hunt.\r\nIn AttackCapture™, pivoting on files is as simple as clicking on the three dots next to the file and selecting\r\n\"Search by SHA256.\" In this case, the number next to the option was 2, indicating the same executable file was\r\nhosted in another directory.\r\nThat second server, located at 88.151.192[.]50 and hosted on the Global Connectivity Solutions LLP network in\r\nUkraine, contained the same three Windows files--svc.exe, svc1.exe, and svc2.exe--indicating that both servers\r\nwere likely part of the same staging infrastructure.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 2 of 9\n\nFigure 2: Screenshot of similarly named executables in Hunt.\r\nThe above screenshot shows the directory structure closely mirrors our first server, including the \"ukraine\"\r\nsubfolder. However, there are two key differences:\r\nThe PDF files are named invoce.pdf and invoce2.pdf.\r\nA newly detected file, putty.exe, appeared alongside the SmokeLoader samples. While unrelated to the\r\nfinancial lures, its presence suggests an attempt to deceive users seeking to download or execute the\r\nlegitimate SSH client, a common tactic for malware delivery.\r\nA single domain resolves to this IP, www[.]connecticutproperty[.]ru, which will appear again later in this post.\r\nPDF Lures\r\nAmong the files found on the initial server, a single PDF, \"invoce415.pdf,\" was used in conjunction with the\r\nmalicious files. The document posing as an invoice from Ілта (Ilta), an official importer of Peugeot vehicles in\r\nUkraine since 1992. The company provides sales, service, and leasing options for Peugeot, Citroën, and DS\r\nvehicles, making it a plausible lure for targeting individuals or businesses in the automotive sector.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 3 of 9\n\nFigure 3: Lure document posing as an invoice for vehicle services.\r\nWhile fake invoices are a common phishing tactic, referencing a well-known Ukrainian business adds\r\ncredibility to the lure, increasing the chances that a recipient will engage with it. This document was likely\r\ndistributed as part of a phishing operation, where the attacker urged the recipient to download and open the file,\r\nleading to the execution of SmokeLoader.\r\nWithin the second directory, the first of the two PDFs, invoce.pdf appears to be an account statement from\r\nRaiffeisen Bank, a major commercial bank in Ukraine. Raiffeisen was designated a systemically important bank\r\nby the National Bank of Ukraine in 2024.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 4 of 9\n\nFigure 4: Screenshot of invoce.pdf mimicking Raiffeisen Bank.\r\nThe second file, invoce2.pdf, is another financial statement dated at the end of July 2024. The document purports\r\nto be from __Sense Bank, one of Ukraine's largest financial institutions. Previously known as Alfa-Bank before\r\n2022, Sense Bank remains a recognizable name in the country's financial sector, making it an effective lure for\r\nphishing attempts.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 5 of 9\n\nFigure 5: Lure document imitating Sense Bank.\r\nMalware Analysis\r\nRecent reporting from AhnLab and Trend Micro detailed SmokeLoader campaigns leveraging 7-Zip archives\r\nfor delivery. While that specific technique was not present in the open directories we analyzed, there were\r\nnoticeable overlaps-lure documents targeting Ukrainian organizations, domains following similar naming\r\npatterns, and a known SmokeLoader command-and-control server.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 6 of 9\n\nOnce executed, SmokeLoader injects into explorer.exe and creates a duplicate of itself in the AppData directory\r\nunder the name \"hbasjiu\" to evade detection. It then establishes communication with the following command-and-control servers via HTTP POST requests:\r\n94.156.177[.]72:80\r\n2.59.163[.]71:80\r\nNotably, network traffic analysis revealed that each request contained a dynamically changing Referer header,\r\nwith values generated from domain generation algorithm (DGA) domains.\r\nThe malware's configuration also contained hardcoded domains, though no additional payloads were observed\r\nduring analysis:\r\nhttp://constractionscity1991[.]lat\r\nhttp://restructurisationservice[.]ru\r\nhttp://connecticutproperty[.]ru\r\nFigure 6: Example C2 communications (Source: Joe Sandbox).\r\nFinal Note\r\nHunt users can explore additional open directories hosting SmokeLoader and multiple other malware families in\r\nAttackCapture™ by searching for the tag.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 7 of 9\n\nFigure 7: Results of searching AttackCapture™ for the SmokeLoader tag in Hunt.\r\nConclusion\r\nOur findings highlight how open directories continue to expose malware distribution operations, providing\r\ndirect visibility into threat actor infrastructure, targeting, and execution methods. The uncovered servers\r\ncontained SmokeLoader samples staged alongside financial-themed lure documents impersonating Ukrainian\r\nbanks and businesses---tactics consistent with previously observed campaigns.\r\nBy tracking open directories, defenders can gain early insight into adversary behaviors, helping to identify\r\nactive malware campaigns before deployment at scale. Researchers can use AttackCapture™ to search for\r\nSmokeLoader and other malware families, uncovering additional staging servers and refining detection strategies.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nIP Address ASN Domains Notes\r\n2.59.163[.]172\r\nGLOBAL\r\nCONNECTIVITY\r\nSOLUTIONS LLP\r\nN/A\r\nOpen directory containing lure\r\nPDF documents and\r\nSmokeLoader samples.\r\n88.151.192[.]71\r\nGLOBAL\r\nCONNECTIVITY\r\nSOLUTIONS LLP\r\nwww.connecticutproperty[.]ru\r\nShares Windows executables\r\nwith 2.59.163[.]172.\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 8 of 9\n\nIP Address ASN Domains Notes\r\n94.156.177[.]72 Railnet LLC\r\ndownloadmanager[.]ru\r\noncomnigos[.]ru\r\nconsultationoffice[.]ru\r\nwww[.]spotcarservice[.]ru\r\nwww[.]fileexportinc[.]ru\r\nrestructurisationservice[.]ru\r\nfileexportinc[.]ru\r\nconstractionscity1991[.]lat\r\nKnown SmokeLoader C2. The\r\nfollowing domains also resolved\r\nto 66.63.187[.]25 in late\r\nDecember 2024:\r\nconstractionscity1991[.]lat\r\nns2.constractionscity1991[.]lat\r\nHost Observables and Indicators of Compromise\r\nFilename SHA-256\r\ninvoce415.pdf 9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188\r\nsvc.exe f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054\r\nsvc1.exe 1118a93cc63a70ba8348182f7012ddbeecf890345941c82376ac967faf55a295\r\nsvc2.exe 4b00565a29eeb0446393d0538e8f24de232339cf3ffb6a76a2bce3ba160c2066\r\ninvoce.pdf 5e7602b9073b8cf5c1a6afc6d0c8366545da65d2b48eb109f1bd9f40a58e73c0\r\ninvoce2.pdf 7991bfff4eb5f50aa9f5d3d95064411987a29de9621fc5afca9e4978ca568941\r\nputty.exe f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054\r\nSource: https://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nhttps://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries"
	],
	"report_names": [
		"smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1839fe0967972ecc88db13ced8ff5dcbbdd114e3.pdf",
		"text": "https://archive.orkl.eu/1839fe0967972ecc88db13ced8ff5dcbbdd114e3.txt",
		"img": "https://archive.orkl.eu/1839fe0967972ecc88db13ced8ff5dcbbdd114e3.jpg"
	}
}