{ "id": "e0923032-3b52-4752-bc3f-6d70b8429aef", "created_at": "2026-04-06T00:06:54.442706Z", "updated_at": "2026-04-10T03:36:48.39301Z", "deleted_at": null, "sha1_hash": "7c335345a09f1009ecade5096313de25b76d3985", "title": "Analysis of Smoke Loader in New Tsunami Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1120338, "plain_text": "Analysis of Smoke Loader in New Tsunami Campaign\r\nBy Kaoru Hayashi\r\nPublished: 2018-12-20 · Archived: 2026-04-05 15:54:27 UTC\r\nOn November 8th, the Japanese Meteorological Agency issued an alert about a fake tsunami warning email\r\nmasquerading as coming from the agency. According to the alert, the email was written in Japanese and asked\r\nrecipients to click the link to confirm their evacuation area from a tsunami after an earthquake. The link in the\r\nemail is not critical information to save your life but malware to steal crucial information from you. The malware\r\nis Smoke Loader, infamous commodity malware used by various cybercriminals since 2011.\r\nSmoke Loader is a modular loader where attackers can select any payload to be installed on the victim by Smoke\r\nLoader. Thus, the final payload can vary between attacks. For example, we previously reported on the Retefe\r\nBanking Trojan being distributed by Smoke Loader in Sweden, and Japan. We have also seen backdoors,\r\nransomware, cryptominers, password stealers, Point-of-Sale (PoS) malware, and banking Trojans installed by\r\nSmoke Loader.\r\nThis attack seems to be aiming to steal credentials from unidentified targets in Japan and took a similar approach\r\nto normal targeted attacks. The attacker registered the fake Japanese government agency domain and ensured the\r\nfile path to the malware on the server is close to the legitimate agency web site. They wrote the lure email in\r\nfluent Japanese and did not distribute it broadly. In late November, the attacker started using another commodity\r\nmalware known as AzoRult. Figure 1 shows the timeline of this attack.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 1 of 13\n\nFigure 1 Time line of the attack\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 2 of 13\n\nSmoke Loader Analysis\r\nThough it’s been seven years since Smoke Loader first appeared, the author keeps updating the code.\r\nMalwarebytes published an excellent analysis of Smoke Loader in 2016. The samples we looked at added the\r\nfollowing techniques to avoid detection or analysis.\r\nCode obfuscation by junk jump\r\nDecrypts subroutines and encrypts them after execution\r\nEmploys PROPagate trick to inject second stage code into an explorer.exe process\r\nChanges the algorithm of generating the unique ID\r\nEncrypts network traffics and payload file\r\nSome of these techniques were already reported by FireEye and Talos this year. We will focus on the unique ID,\r\nC2 communication, and the payload in this blog.\r\nGenerating a unique ID\r\nInitially, the threat generates a unique ID for the compromised machine from the computer name, the hardcoded\r\nstatic number(0B0D0406), and the volume serial number of the system drive. Smoke Loader uses the unique ID\r\nfor three purposes:\r\nTracking the compromised machine at C2.\r\nEncrypting payload by the ID.\r\nCreating random file names for persistence.\r\nHere’s how to create the unique ID. If the computer name is “Test_PC” and the volume serial number is\r\n“12345678”, the threat appends the three values like the following:\r\n\"Test_PC\" + \"0B0D0406\" + \"12345678\" = \"Test_PC0B0D040612345678\"\r\nand it calculates the MD5 hash value of the string,\r\nMD5(\"Test_PC0B0D040612345678\") = 41EE612602833345FC5BD2B98103811C\r\nIt then appends the volume serial to the hash value and gets the 40 characters unique ID.\r\n\"41EE612602833345FC5BD2B98103811C\" + \"12345678\" =\r\n\"41EE612602833345FC5BD2B98103811C12345678\"\r\nNext, Smoke Loader generates two strings based on the first eight characters and the last eight characters of the\r\nID. Following is the algorithm written in Python.\r\n# the unique ID\r\nid = \"41EE612602833345FC5BD2B98103811C12345678\"\r\ndef makeStrings(_s):\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 3 of 13\n\nresults = \"\"\r\nfor n in _s:\r\nresults += chr((ord(n) - 0x30) + ord('a'))\r\nreturn results\r\nstringA = makeStrings(id[:8]) # \"ebvvgbcg\"\r\nstringB = makeStrings(id[-8:]) # \"bcdefghi\"\r\nSmoke Loader uses these strings for the file name. It copies itself as follows.\r\n%APPDATA%\\Microsoft\\Windows\\[stringA\\[stringB].exe\r\nand it creates following shortcut file to execute the threat when the computer starts.\r\n%StartUp%\\[stringA].lnk\r\nThese two strings look random. However, the attacker always generates two identical strings to the compromised\r\nmachine since it is based on the static values of the environment.\r\nC2 Communication\r\nSmoke Loader contains the following hardcoded C2 address.\r\njma-go[.]jp/js/metrology/jma.php\r\nAn outline of initial C2 communication follows.\r\n1. Smoke Loader sends the encrypted data to C2 by HTTP POST method.\r\n2. C2 server replies HTTP 404 response (Not Found) with encrypted data.\r\n3. Smoke Loader extracts the plugin from C2, encrypts it by using the unique ID, and saves it local disk.\r\n4. Smoke Loader extracts the payload modules from the encrypted plugin file and injects them into an\r\nExplorer.exe process.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 4 of 13\n\nFigure 2 Initial communication\r\nMaking initial POST data\r\nSmoke Loader creates the data to send C2. At offset 0, there is a marker ‘E207’ followed by the unique ID (Figure\r\n3). The marker is ‘072E’ in little-endian form and ‘2018’ in decimal. Smoke Loader uses the marker every time\r\ncommunicating with C2.\r\nFigure 3 POST data\r\nSmoke Loader finally encrypts the data with RC4 cipher by using the static key 0x161A9A0C and send it to the\r\nC2 by HTTP POST method.\r\nPlugin from C2\r\nThe C2 server responds the plugin data contains the final payload with HTTP 404 status code. Smoke Loader\r\nobtains the encrypted header size from the first DWORD value of the plugin and decrypts the following bytes\r\nwith RC4 cipher by the different static key 0x1D17D70A. Figure 4 shows the plugin data after decryption. It then\r\nverifies the marker ‘E207’ and gets the plugin size which is defined in the \"plugin_size’ variable.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 5 of 13\n\nFigure 4 Reply data from C2\r\nAfter checking the plugin size, Smoke Loader encrypts plugin data with an RC4 cipher using the unique ID and\r\nsaves it as the following path with the generated string from the ID. Since the file is encrypted with the distinct\r\nvalue to the machine, the file hash is always different on each computer even if the plugin is identical.\r\n%APPDATA%\\Microsoft\\Windows\\[stringA]\\[stringA]\r\nThen Smoke Loader decrypts the saved plugin data. The plugin data has thirteen-byte length header and consists\r\nfrom following values.\r\nOffset Size Value\r\n0x00 DWORD Plugin size\r\n0x04 DWORD Plugin marker, 0xD5A08DD8\r\n0x08 DWORD Unknown, possible plugin identifier\r\n0x0C BYTE Number of modules in the plugin\r\nTable 1 Plugin header\r\nThe plugin can contain multiple modules. In the case of this tsunami campaign, the payload contains six modules.\r\nEach module has a header that includes its size and RC4 key to decrypt.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 6 of 13\n\nFigure 5 Plugin header and module header\r\nSmoke Loader decrypts a module with RC4 cipher by the specified key. After verifying architecture flag (64 bit or\r\n32 bit) in the module, the threat executes Explorer.exe process and injects the module into the process. Since the\r\nthreat repeats this the number of modules times, there should be multiple Explorer.exe processes on the\r\ncompromised machine.\r\nPayload Modules\r\nTable 2 shows the list of modules in this campaign. There are three types of functions in two architectures.\r\nModule Architecture Function\r\n1 32 bit Stealing stored credential from browsers and email programs\r\n2 64 bit Incomplete porting of Module 1\r\n3 32 bit Stealing data sending from Browsers\r\n4 64 bit Same with Module 3\r\n5 32 bit Stealing login credential from email protocols\r\n6 64 bit Same with Module 5\r\nTable 2 Module list\r\nWhen injecting modules, Smoke Loader passes the configuration data including the following values to the\r\nmodules for C2 communication. Each module has exact same C2 communication code with the loader.\r\nRC4 encryption key for HTTP POST\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 7 of 13\n\nThe unique ID\r\nC2 URL\r\nModule 1\r\nThis module aims to steal stored credentials in following programs.\r\nInternet Explorer\r\nFirefox\r\nChrome\r\nOpera\r\nChromium\r\nYandex\r\nAmigo\r\nQQBrowser\r\nOutlook\r\nThunderbird\r\nWinSCP\r\nModule 2 contains a partial code of Module 1 but appears to be in the under development phase.\r\nModules 3 and 4\r\nThese modules hook APIs and steals all data being sent data from following browsers.\r\nFirefox\r\nInternet Explorer\r\nEdge\r\nChrome\r\nOpera\r\nModules 5 and 6\r\nThese modules hook APIs and steals user id, password, and their associated remote ftp and email server addresses\r\non following protocols.\r\nFTP on port 21\r\nSMTP on port 25, 587, 2525\r\nPOP3 on port 110\r\nIMAP on port 143\r\nInfrastructures and another tools\r\nA person registered the domain name jma-go[.]jp on Oct 30, 2018. The domain does not have a second level\r\ndomain name, such as .co.jp nor .ne.jp. It is defined as General-use JP domain name by JPNIC. In the definition,\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 8 of 13\n\nJPNIC described the registration requirements of the general-use JP domain name as following.\r\n‘In the general-use JP domain name system, we have established what we call a \"local presence\" prerequisite,\r\nwhich asks for a connection or relationship with Japan.‘\r\nAccording to the Whois information of the domain, the domain was owned by a person who has a postal address\r\nin Russia and uses a Gmail address. The registrant may change the postal address after registration or could prove\r\na connection or relationship with Japan.\r\nThe same person also registered another eight domains with the same Gmail address. We found that the three of\r\nthe domains were used in attacks involving the Android banking trojan/password stealing malware, Marcher from\r\nFeb to March in 2018. We haven’t identified the targets of the mobile malware yet. Following is the sample list.\r\nDomain Marcher SHA256\r\nSungmap[.]at 254925e47fbfff4786eada6cbcb0805ed79d9bd417955c016236143eb2ecd827\r\nMountainhigh[.]at 75edaae605622e056a40c2d8a16b86654d7ddc772f12c4fc64292a32a96fde7a\r\nRacemodel[.]at 55ae2b00234674d82dcc401a0daa97e7b3921057a07970347815d9c50dddbda8\r\nTable 3 Domains and Marcher hashes\r\nOn November 25, we confirmed that another malware, AzoRult, was served from the same URL previously\r\nserving Smoke Loader. AzoRult is also a commodity malware that steals credentials, cookies, and\r\ncryptocurrencies. This AzoRult accesses the following C2 address, which is a different path on the same C2 server\r\nwith the Smoke Loader.\r\nwww.jma-go[.]jp/java/java9356/index.php\r\nWe observed three AzoRult samples using the same C2 at the time of writing this blog. The attacker distributes\r\nthose files from following URLs.\r\nthunderbolt-price[.]com/Art-and-Jakes/Coupon.scr\r\nbite-me.wz[.]cz/1.exe\r\nthunderbolt-price[.]com was registered in 2012 in Japan, and the Privacy Protection Service protects its registrant\r\ninformation. The website of the domain does not host content at the top page as of today. According to the Google\r\nsearch, the domain appears in shopping related pages from 2014 to 2015. Interestingly, those web pages are low-quality and mostly hosted on hacked web servers. These web pages are likely created for malicious Search Engine\r\nOptimization (SEO) backlinks which gain scores for better page rank in the search engine results. Figure 6 is a\r\nladies’ shoes shopping web page hosted on the website of a construction and building materials company in\r\nTurkey.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 9 of 13\n\nFigure 6 SEO backlinks on hacked site\r\nThe domain may have been used for a shopping or affiliate site previously, but the owner does not use it for that\r\npurpose anymore. It looks like the attacker compromised the website, which had not been used for few years, and\r\nis using it for distributing AzoRult. However, we don’t know the connection between the attacker and the current\r\nowner of the thunderbolt-price[.]com.\r\nTable 4 shows the timetable of infrastructure changes and timestamp of malware.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 10 of 13\n\nDate Activities\r\nOct 30, 2018 Registers jma-go[.]jp domain\r\nNov 5, 2018\r\nSmoke Loader\r\n3d75eabb8460450a49e2fb68053d9f591efe5aefd379205e5cc3af574bb9f415\r\nNov 6, 2018\r\nSmoke Loader\r\n8a1aab36c3940e4dd83f489432fa710fba582e254c3a52459c52826d6a822f2d\r\n0db3fd1394b15b98f4e112102cdec6cc569062cdb199b66c5838c54cbc286277\r\nbe3817b9f14df3e0af82ae47b0904ac38d022e2b2d7bb7f8f9800b534b60183c\r\nNov 8, 2018\r\nSmoke Loader\r\n27aa9cdf60f1fbff84ede0d77bd49677ec346af050ffd90a43b8dcd528c9633b\r\nNov 9, 2018\r\nSmoke Loader\r\n42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85\r\nNov 15, 2018\r\nSmoke Loader\r\nfb3def9c23ba81f85aae0f563f4156ba9453c2e928728283de4abdfb5b5f426f\r\nNov 24, 2018\r\nAzoRult\r\n70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3\r\nNov 25, 2018\r\nSmoke Loadera\r\n1ce72ec2f2fe6139eb6bb35b8a4fb40aca2d90bc19872d6517a6ebb66b6b139\r\nNov 27, 2018\r\nAzoRult\r\n7337143e5fb7ecbdf1911e248d73c930a81100206e8813ad3a90d4dd69ee53c7\r\nNov 30, 2018\r\nChanges the IP address associates with jma-go[.]jp\r\nfrom 47.74.255[.]111 to 149.129.135[.]53\r\nDec 3, 2018 AzoRult7\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 11 of 13\n\n48c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9\r\nTable 4 Timetable\r\nConclusion\r\nCommodity malware is widely used by cyber criminals these days. The authors of malware keep updating the\r\ncode to expand the capabilities and trying to gain more customers. As we detailed in this article, Smoke Loader\r\nencrypts network traffic and files with various keys to avoid analysis. We recently published a report of a new\r\nvariant of AzoRult that introduces a new advanced obfuscation technique to evade detection by security products.\r\nAttackers, like those in this tsunami campaign, can pick up malware fitting for their purpose from online threat\r\nmarketplaces.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAutoFocus customers can track these samples with the Smoke Loader, AzoRult and Marcher.\r\nWildFire detects all files mentioned in this report with malicious verdicts.\r\nTraps blocks all of the files described in this article.\r\nIoC\r\nSmoke Loader Samples\r\n3d75eabb8460450a49e2fb68053d9f591efe5aefd379205e5cc3af574bb9f415\r\n8a1aab36c3940e4dd83f489432fa710fba582e254c3a52459c52826d6a822f2d\r\n0db3fd1394b15b98f4e112102cdec6cc569062cdb199b66c5838c54cbc286277\r\nbe3817b9f14df3e0af82ae47b0904ac38d022e2b2d7bb7f8f9800b534b60183c\r\n27aa9cdf60f1fbff84ede0d77bd49677ec346af050ffd90a43b8dcd528c9633b\r\n42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85\r\nfb3def9c23ba81f85aae0f563f4156ba9453c2e928728283de4abdfb5b5f426f\r\na1ce72ec2f2fe6139eb6bb35b8a4fb40aca2d90bc19872d6517a6ebb66b6b139\r\nAzoRult Samples\r\n70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3 \r\n7337143e5fb7ecbdf1911e248d73c930a81100206e8813ad3a90d4dd69ee53c7\r\n748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9\r\nMarcher Samples\r\n55ae2b00234674d82dcc401a0daa97e7b3921057a07970347815d9c50dddbda8 \r\n75edaae605622e056a40c2d8a16b86654d7ddc772f12c4fc64292a32a96fde7a\r\n254925e47fbfff4786eada6cbcb0805ed79d9bd417955c016236143eb2ecd827\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 12 of 13\n\nInfrastructures\r\nhttp://jma-go[.]jp/js/metrology/jma.php\r\nhttp://www.jma-go[.]jp/java/java9356/index.php\r\nhttp://jma-go[.]jp/jma/tsunami/tsunami_regions.scr\r\nhttp://thunderbolt-price[.]com/Art-and-Jakes/Coupon.scr\r\nhttp://bite-me.wz[.]cz/1.exe\r\nhttps://racemodel[.]at\r\nhttps://mountainhigh[.]at\r\nhttps://sungmap[.]at\r\nAppendix\r\n.bits domain support\r\nSmoke Loader supports .bit Top Level Domains (TLD). Author of the threat includes the following hard-coded\r\nDNS servers to resolve .bit domains. Though we haven’t seen any .bit domain in Tsunami campaign, we listed the\r\nIP addresses just in case for another attack by the threat.\r\n192.71.245[.]208\r\n58.251.121[.]110\r\n101.226.79[.]205\r\n188.165.200[.]156\r\n185.121.177[.]177\r\n185.121.177[.]53\r\n144.76.133[.]38\r\n169.239.202[.]202\r\n5.135.183[.]146\r\n193.183.98[.]66\r\n51.254.25[.]115\r\n51.255.48[.]78\r\nSource: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nhttps://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/" ], "report_names": [ "analysis-of-smoke-loader-in-new-tsunami-campaign" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434014, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c335345a09f1009ecade5096313de25b76d3985.pdf", "text": "https://archive.orkl.eu/7c335345a09f1009ecade5096313de25b76d3985.txt", "img": "https://archive.orkl.eu/7c335345a09f1009ecade5096313de25b76d3985.jpg" } }