{
	"id": "e302704f-9afd-4b0b-9f4d-5ff44581ef18",
	"created_at": "2026-04-06T01:29:47.802163Z",
	"updated_at": "2026-04-10T03:21:56.507739Z",
	"deleted_at": null,
	"sha1_hash": "564862d8d8d9192f643dbf505238902894ce8be4",
	"title": "Technical Analysis of SmokeLoader Version 2025 | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 573761,
	"plain_text": "Technical Analysis of SmokeLoader Version 2025 | ThreatLabz\r\nBy ThreatLabz\r\nPublished: 2025-09-15 · Archived: 2026-04-06 01:27:48 UTC\r\nIn this section, we will analyze the two latest versions of SmokeLoader: version 2025 alpha and version 2025.\r\nNote that version 2025 alpha identifies itself as version 2022 when communicating with the C2 server. However,\r\nthe compilation timestamps for these samples date back to around February 2025. SmokeLoader consists of two\r\nmain components: a stager and a main module. The stager has two main purposes: hinder analysis, detect virtual\r\nenvironments (and terminate if present), and inject the SmokeLoader main module into explorer.exe. The main\r\nmodule performs the bulk of the malicious functionality including establishing persistence, beaconing to the C2\r\nserver, and executing tasks and plugins.\r\nSmokeLoader stager\r\nIn a previous blog, ThreatLabz identified significant bugs in SmokeLoader versions 2018 through 2022 that\r\ncaused performance degradation on an infected system. This was caused by several factors including a scheduled\r\ntask (used for persistence) that executed SmokeLoader’s stager every 10 minutes. Since SmokeLoader’s stager did\r\nnot check whether the main module was already running (via a mutex), the stager would allocate memory in\r\nexplorer.exe and inject a new copy of SmokeLoader’s main module every 10 minutes. In addition, the main\r\nmodule created two threads to identify and disable analysis tools before checking whether SmokeLoader was\r\nalready running. As a result, two new threads in explorer.exe were also created every 10 minutes.\r\nBug fixes\r\nIn order to address these performance issues, the SmokeLoader developer added a new mutex check into the\r\nstager’s code starting with version 2025 alpha. Thus, the newer SmokeLoader stagers will first verify whether the\r\nmachine specific SmokeLoader mutex name exists. If the mutex already exists, the stager will terminate\r\nimmediately and will not inject the SmokeLoader main module into explorer.exe. The SmokeLoader mutex name\r\nformat was also modified, which was previously identical to the bot ID consisting of 40 uppercase hexadecimal\r\ncharacters. Starting with version 2025 alpha, the mutex name has a variable length that consists of lowercase\r\nalphabetic letters. The mutex name and length are now determined by a pseudo random number generator that is\r\nseeded with the first 4 bytes of the SmokeLoader bot ID. The following Python code replicates the algorithm that\r\nis used to generate SmokeLoader’s mutex name and length for versions 2025 alpha and 2025.\r\ndef generate_mutex(bot_id: bytes) -\u003e str:\r\n def uint32(val: int) -\u003e int:\r\n return val \u0026 0xffffffff\r\n def rand(mod: int) -\u003e int:\r\n nonlocal seed\r\n seed = uint32(uint32(0x41c64e6d * seed) + 0x33bd)\r\n return seed % mod\r\nhttps://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nPage 1 of 5\n\nseed = int.from_bytes(bot_id[:4], \"little\")\r\n mutex_len = rand(20) + 20\r\n print(\"mutex len:\", mutex_len)\r\n mutex = bytearray()\r\n for i in range(mutex_len):\r\n val = rand(26)\r\n mutex.append(val + ord('a'))\r\n return mutex.decode()\r\nAnother bug that was fixed is the creation of the two anti-analysis threads (that terminate malware analysis tools)\r\nnow occurs after the mutex check. Therefore, if the mutex check fails, those two threads will no longer be created.\r\nThese SmokeLoader bug fixes are illustrated in the diagram below.\r\nFigure 1: SmokeLoader execution process control flow comparison with versions before (red) and after (green)\r\n2025 alpha.\r\nhttps://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nPage 2 of 5\n\nSmokeLoader 2025 stager changes\r\nAlthough the stager for version 2025 alpha fixed the bug of injecting SmokeLoader continuously into the\r\nexplorer.exe process, the remaining parts of the code were largely unchanged. However, in SmokeLoader’s\r\nversion 2025 stager, additional changes were introduced including the following:\r\nImplemented a new function to decrypt code blocks by adding a hardcoded value to each byte before\r\nexecution.\r\nDynamically calculates RVAs (by performing an XOR operation with a constant) when decrypting code.\r\nAdded new 64-bit shellcode to inject the main module into explorer.exe\r\nThe green lines illustrate these new updates to SmokeLoader starting in version 2025 alpha. For comparison, the\r\ndotted red lines indicate the process control flow for versions prior to 2025 alpha.\r\nMain module\r\nThe main module of SmokeLoader has received a number of updates in both version 2025 alpha and 2025 with\r\nsignificant overlap between the two versions. Since the mutex generation algorithm was moved to the stager, the\r\nmutex string is passed to the main module, where the mutex is created if it does not already exist. If the mutex\r\nname exists (which in theory should never happen due to the check in the stager), SmokeLoader terminates.\r\nIn both versions, various constants are obfuscated using a simple function that performs an XOR operation with a\r\nhardcoded value (that changes per sample). In version 2025, constants are obfuscated such as the value 0xF001F\r\n( SECTION_ALL_ACCESS ) that is passed to the function NtCreateSection. However, in version 2025 alpha, different\r\nconstants are obfuscated including the SmokeLoader version number as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nPage 3 of 5\n\nFigure 2: Example of SmokeLoader version 2025 alpha constant obfuscation\r\nIn version 2025, there is an additional language check that compares whether the victim’s keyboard layout is\r\nRussian (and not Ukrainian). If a Russian keyboard layout is detected, SmokeLoader terminates itself.\r\nInterestingly, a very similar check is already present in SmokeLoader’s stager, so this code is somewhat\r\nredundant.\r\nAnother change in the main module, in versions prior to 2025, is the file mapping name consisted of the bot ID\r\nappended with “FF” characters. In version 2025, the file mapping name is now the hash of the bot ID (as a string)\r\nconverted to uppercase hexadecimal characters (without “FF” characters appended).\r\nScheduled task name\r\nPrevious versions of SmokeLoader used the format string  Firefox Default Browser Agent %hs for the\r\nscheduled task that established persistence. Starting with version 2025 alpha, SmokeLoader now uses the format\r\nstring  MicrosoftEdgeUpdateTaskMachine%hs . In both cases, the  %hs format string of the task name is the first 16\r\ncharacters of the victim bot ID. Interestingly, the SmokeLoader developer removed the space between the fake\r\nbrowser string prefix and the bot ID, which is likely an oversight.\r\nVersion 2025 network protocol\r\nWhile the 2025 alpha variant utilizes the same network protocol as version 2022, there were modest adjustments\r\nmade in version 2025. For example, the two byte version number now reports the value 2025 (0x7e9) instead of\r\nhttps://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nPage 4 of 5\n\n2022 (0x7e6). Version 2025 also updated the request to include a four byte CRC32 value at byte offset 2. The\r\nCRC32 checksum is computed on the bytes following offset 6 (that start with the bot ID) as shown in the figure\r\nbelow.\r\nFigure 3: SmokeLoader version 2025 beacon format\r\nThe response format in version 2025 was also slightly modified. Previously, the first 4 bytes of the C2 response\r\ncontained the length of the command. This length value is now obfuscated via an XOR operation with the samples\r\nRC4 encryption key. \r\nSource: https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nhttps://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes\r\nPage 5 of 5\n\nVersion 2025 While the 2025 network protocol alpha variant utilizes the same network protocol as version 2022, there were modest adjustments \nmade in version 2025. For example, the two byte version number now reports the value 2025 (0x7e9) instead of\n   Page 4 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes"
	],
	"report_names": [
		"smokeloader-rises-ashes"
	],
	"threat_actors": [],
	"ts_created_at": 1775438987,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/564862d8d8d9192f643dbf505238902894ce8be4.pdf",
		"text": "https://archive.orkl.eu/564862d8d8d9192f643dbf505238902894ce8be4.txt",
		"img": "https://archive.orkl.eu/564862d8d8d9192f643dbf505238902894ce8be4.jpg"
	}
}