{
	"id": "b493590d-f3bc-42b6-940e-63e6f74c7b97",
	"created_at": "2026-04-06T00:07:23.904567Z",
	"updated_at": "2026-04-10T03:21:25.365701Z",
	"deleted_at": null,
	"sha1_hash": "2d5b9892c800e6ccbdeeddd7ef945edcbfa8bbff",
	"title": "Alleged SmokeLoader malware operator facing federal charges in Vermont",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82885,
	"plain_text": "Alleged SmokeLoader malware operator facing federal charges in\r\nVermont\r\nBy Jonathan Greig\r\nPublished: 2025-04-18 · Archived: 2026-04-05 23:11:39 UTC\r\nAn alleged operator of the SmokeLoader malware is now facing federal hacking charges in Vermont after\r\naccusations that he stole personal information on more than 65,000 people.\r\nNicholas Moses initially had charges filed in North Carolina this week, but the case was transferred to federal\r\nprosecutors in Vermont on Wednesday. \r\nCourt documents accuse Moses, operating under the alias “scrublord,” of operating “a computer malware program\r\nknown as SmokeLoader.”\r\n“Moses deployed the malware as a means to harvest personal information and passwords from victims without the\r\nknowledge of the owners of the victim computers,\" prosecutors said. \r\n\"Thousands of computers around the world have been infected with the SmokeLoader malware by Moses and\r\nover 65,000 victims have had their personal information and passwords stolen by Moses.”\r\nAt least one of the victims named in the initial filing is a Charlotte-based FDIC-insured financial institution.\r\nMoses is being charged with one count of conspiracy to commit fraud and related activity in connection with\r\ncomputers. \r\nFrom at least January 2022 to May 2023, Moses allegedly maintained a command and control server located in the\r\nNetherlands to deploy the SmokeLoader malware and receive stolen data from victim computers.\r\nIn one November 30, 2022 incident, Moses allegedly participated in a chat where he \"provided the usernames and\r\npasswords for victim accounts with multiple video on-demand streaming services which were acquired through\r\nthe SmokeLoader infostealer.”\r\nMoses claimed he had acquired \"over half a million stealer logs\" and that he sold stolen victim credentials and\r\npasswords for about $1 to $5 each, prosecutors said. \r\nMoses also shared a screenshot of the SmokeLoader interface which showed a database of 619,763 files\r\ncontaining stolen victim data.\r\nThe Justice Department did not respond to requests for comment, and it’s unclear why the case was transferred to\r\nVermont. One of the documents attached to the charges appears to show that Moses pleaded guilty to the charge in\r\nVermont. \r\nSmokeLoader is a complex malware strain primarily functioning as a loader, which downloads stealthier or more\r\neffective malicious software into the system. However, because of its modular design, SmokeLoader can perform\r\nhttps://therecord.media/alleged-smokeloader-operator-charged-in-vermont\r\nPage 1 of 3\n\na wide range of functions, including stealing credentials, executing distributed denial-of-service (DDoS) attacks\r\nand intercepting keystrokes.\r\nThe price for this malicious toolkit varies, with options ranging from $400 for the basic bot to $1,650 for the\r\ncomplete package, featuring all available plugins and functions. According to previous reports, the malware has\r\nbeen advertised on underground forums since 2011.\r\nThe tool has been used widely among Russian cybercriminals and state actors, particularly in attacks targeting\r\nUkraine. \r\nEuropol ‘Endgame’ raids\r\nLast week, officials from Europol announced follow-up actions to a massive botnet takedown codenamed\r\nOperation Endgame in May 2024, which shut down the biggest malware droppers, including IcedID, SystemBC,\r\nPikabot, Bumblebee and SmokeLoader. \r\nEuropol said that in early 2025, a coordinated series of arrests, house searches and so-called ‘knock and talks’\r\nwere conducted involving customers of the SmokeLoader pay-per-install botnet, operated by the actor known as\r\n‘Superstar.’\r\nAt least five unnamed people were arrested or detained as part of the operation. Multiple law enforcement\r\nagencies in Canada, Denmark, the Czech Republic, France, Germany, the Netherlands and the U.S. followed the\r\nleads uncovered in Operation Endgame to link online personas and their usernames to real-life individuals.\r\n“When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the\r\nexamination of digital evidence stored on their personal devices,” Europol explained. \r\n“Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of\r\ninterest to the investigation. Some of the suspects had assumed they were no longer on law enforcement’s radar,\r\nonly to come to the harsh realisation that they were still being targeted.” \r\nThey noted that Operation Endgame is not over and more actions will eventually be announced. \r\nAdditional Reporting by James Reddick.\r\nhttps://therecord.media/alleged-smokeloader-operator-charged-in-vermont\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/alleged-smokeloader-operator-charged-in-vermont\r\nhttps://therecord.media/alleged-smokeloader-operator-charged-in-vermont\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/alleged-smokeloader-operator-charged-in-vermont"
	],
	"report_names": [
		"alleged-smokeloader-operator-charged-in-vermont"
	],
	"threat_actors": [],
	"ts_created_at": 1775434043,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d5b9892c800e6ccbdeeddd7ef945edcbfa8bbff.pdf",
		"text": "https://archive.orkl.eu/2d5b9892c800e6ccbdeeddd7ef945edcbfa8bbff.txt",
		"img": "https://archive.orkl.eu/2d5b9892c800e6ccbdeeddd7ef945edcbfa8bbff.jpg"
	}
}