{
	"id": "4912c419-59e1-4a48-8f00-2dda68b77fe4",
	"created_at": "2026-04-06T00:12:39.525744Z",
	"updated_at": "2026-04-10T03:20:37.508816Z",
	"deleted_at": null,
	"sha1_hash": "7a7ec5f71e36abf2d64d078766fbf6951dfa78bb",
	"title": "Fake Spectre and Meltdown patch pushes Smoke Loader malware | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 236193,
	"plain_text": "Fake Spectre and Meltdown patch pushes Smoke Loader malware |\r\nMalwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2018-01-11 · Archived: 2026-04-05 16:31:22 UTC\r\nThe Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their\r\nmachines with fixes made available by various vendors.\r\nWhile some patches have created more issues than they fixed, we came across a particular one targeted at German\r\nusers that actually is malware. In fact, German authorities recently warned about phishing emails trying to take\r\nadvantage of those infamous bugs.\r\nWe identified a recently registered domain that is offering an information page with various links to external\r\nresources about Meltdown and Spectre and how it affects processors. While it appears to come from the German\r\nFederal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate\r\nor official government entity.\r\nMoreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip)\r\ncontaining the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.\r\nhttps://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nPage 1 of 5\n\nUpon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional\r\npayloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending\r\nencrypted information:\r\nhttps://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nPage 2 of 5\n\nThe Subject Alternative Name field within the abused SSL certificate shows other properties associated with the\r\n.bid domain, including one that is a German template for a fake Adobe Flash Player update.\r\nhttps://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nPage 3 of 5\n\nWe immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not\r\nresolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour\r\nagainst this malware.\r\nOnline criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via\r\nphishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly\r\nwhat the crooks are offering under disguise.\r\nIt’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to\r\nhttps://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nPage 4 of 5\n\neither scam you or infect your computer. There are very few legitimate cases when vendors will directly contact\r\nyou to apply updates. If that is the case, it’s always good to verify this information via other online resources or\r\nfriends first.\r\nAlso, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply\r\nimplies that the data that transits between your computer and the site is secure, but that has nothing to do with the\r\nintentions or content offered, which could be a total scam.\r\nIndicators of compromise\r\nFraudulent site:\r\nsicherheit-informationstechnik[.]bid\r\nFake patch (Smoke Loader):\r\nsicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip CD\r\nSmoke Loader callbacks:\r\ncoolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru\r\nSource: https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nhttps://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/\r\nPage 5 of 5\n\n https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/      \nUpon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional\npayloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending\nencrypted information:       \n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/"
	],
	"report_names": [
		"fake-spectre-and-meltdown-patch-pushes-smoke-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434359,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a7ec5f71e36abf2d64d078766fbf6951dfa78bb.pdf",
		"text": "https://archive.orkl.eu/7a7ec5f71e36abf2d64d078766fbf6951dfa78bb.txt",
		"img": "https://archive.orkl.eu/7a7ec5f71e36abf2d64d078766fbf6951dfa78bb.jpg"
	}
}