{
	"id": "93527a63-ab9a-4621-9246-0f2bdaf1e409",
	"created_at": "2026-04-06T00:18:30.10904Z",
	"updated_at": "2026-04-10T13:12:36.437729Z",
	"deleted_at": null,
	"sha1_hash": "61cb77d9b62d6e6f3e6c0adb5d318dd9dcc58d77",
	"title": "Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49514,
	"plain_text": "Unit 42 Collaborative Research With Ukraine’s Cyber Agency To\r\nUncover the Smoke Loader Backdoor\r\nBy Unit 42\r\nPublished: 2024-03-19 · Archived: 2026-04-02 10:53:19 UTC\r\nExecutive Summary\r\nThis article announces the publication of our first collaborative effort with the State Cyber Protection Centre of\r\nthe State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This\r\ncollaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May\r\nto November 2023 from a group the CERT-UA designates as UAC-0006.\r\nUnit 42 has been collaborating with Ukraine for many years to share actionable intelligence and expertise. As the\r\nwar in Ukraine enters its third year, Ukraine faces an all-time high in both volume and severity of cyberattacks.\r\nGlobal threat actors, including nation-states, cybercriminals and hacktivist groups, are seizing the opportunity\r\npresented by the Ukraine conflict for their malicious purposes. The SCPC SSSCIP has identified Smoke Loader as\r\na prominent type of malware used in recent attacks.\r\nAlso known as Dofoil or Sharik, Smoke Loader is a backdoor targeting systems running Microsoft Windows.\r\nThreat actors have advertised this threat on underground forums since 2011. Primarily a loader with added\r\ninformation-stealing capabilities, Smoke Loader has been linked to Russian cybercrime operations and is readily\r\navailable on Russian cybercrime forums.\r\nUkrainian officials have highlighted a surge in Smoke Loader attacks targeting the country’s financial institutions\r\nand government organizations. While Ukraine has seen a rise in Smoke Loader attacks, this malware remains a\r\nglobal threat and continues to be seen in multiple campaigns targeting other countries. However, this surge of\r\nattacks suggests a coordinated effort to disrupt Ukrainian systems and extract valuable data.\r\nWhile Smoke Loader can be distributed through web-based vectors, attacks using this malware against Ukraine\r\nhave been detected in malicious emails from phishing campaigns. The SCPC SSSCIP report provides detailed\r\nanalysis on 23 waves of email-based attacks from May 10-Nov. 23, 2023. This report is most beneficial to security\r\nprofessionals who study trends in attack chains, analyze malware or are interested in deep technical analysis and\r\ndetailed indicators of compromise.\r\nTo review the technical aspects of these Smoke Loader campaigns in Ukraine, refer to the SCPC SSSCIP report.\r\nReaders can prevent Smoke Loader and similar malware attacks by prioritizing security measures and cultivating\r\nsmart online habits. Be extremely cautious when opening email attachments or clicking links, especially from\r\nunknown senders. Stick to trusted websites for downloads. Create strong, unique passwords for online accounts,\r\nand stay informed of current cybersecurity threats. These measures can significantly reduce the risk of falling\r\nvictim to malware like Smoke Loader.\r\nhttps://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/\r\nPage 1 of 3\n\nPalo Alto Networks customers are better protected from the Smoke Loader samples in the SCPC SSSCIP report\r\nthrough Cortex XDR and XSIAM, as well as through our Next-Generation Firewall with Cloud-Delivered\r\nSecurity Services, including Advanced WildFire, DNS Security, Advanced Threat Prevention and Advanced URL\r\nFiltering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nThe UAC-0006 Group\r\nOn May 5, 2023, CERT-UA issued alert CERT-UA#6613, its first notification of Smoke Loader activity under the\r\nUAC-0006 identifier. Throughout the remainder of 2023, the CERT-UA published five additional notices on the\r\nUAC-0006 group.\r\nAccording to CERT-UA, the UAC-0006 group ranked first in the category of financial crimes as of December\r\n2023. UAC-0006 uses Smoke Loader to download other malware, and the group uses this additional malware in\r\nattempts to steal funds from Ukrainian enterprises. These attempts represent a significant potential for financial\r\nloss.\r\nWhile CERT-UA has not confirmed a specific threat actor behind these Smoke Loader attacks, various sources\r\nsuspect UAC-0006 might be associated with Russian cybercrime.\r\nConclusion\r\nPalo Alto Networks collaborated with the SCPC SSSCIP to provide actionable threat intelligence to mitigate\r\nSmoke Loader attacks targeting Ukrainian organizations. Our joint research provides valuable insight into how\r\nattackers leverage Smoke Loader in real-world campaigns. This includes understanding initial attack vectors,\r\ntypes of secondary payloads and the overall objective of the attackers. Our research was used to help develop our\r\nmutual defenses and to disrupt the entire attack chain.\r\nFor a deeper understanding of the technical aspects of UAC-0006 Smoke Loader campaigns in Ukraine, read the\r\nSCPC SSSCIP report.\r\nA crucial element of defense against Smoke Loader is prioritizing security measures and cultivating smart online\r\nhabits. Be extremely cautious when opening email attachments or clicking links, especially from unknown\r\nsenders. Stick to trusted websites for downloads, and create strong, unique passwords for all online accounts. Stay\r\ninformed on current cybersecurity threats. Such vigilance should significantly reduce the risk of falling victim to\r\nmalware like Smoke Loader.\r\nPalo Alto Networks customers are better protected from Smoke Loader through Cortex XDR and XSIAM, as well\r\nas through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire,\r\nDNS Security, Advanced Threat Prevention and Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam or call:\r\nhttps://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/\r\nPage 2 of 3\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nSource: https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/\r\nhttps://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/"
	],
	"report_names": [
		"unit-42-scpc-ssscip-uncover-smoke-loader-phishing"
	],
	"threat_actors": [
		{
			"id": "078f7b2a-4e1c-4843-b7cd-353331cd2260",
			"created_at": "2023-11-21T02:00:07.359148Z",
			"updated_at": "2026-04-10T02:00:03.467054Z",
			"deleted_at": null,
			"main_name": "UAC-0006",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0006",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61cb77d9b62d6e6f3e6c0adb5d318dd9dcc58d77.pdf",
		"text": "https://archive.orkl.eu/61cb77d9b62d6e6f3e6c0adb5d318dd9dcc58d77.txt",
		"img": "https://archive.orkl.eu/61cb77d9b62d6e6f3e6c0adb5d318dd9dcc58d77.jpg"
	}
}