{ "id": "05e06fad-cb42-4428-9f05-8f594992211c", "created_at": "2026-04-06T00:10:06.32625Z", "updated_at": "2026-04-10T13:12:59.66996Z", "deleted_at": null, "sha1_hash": "82e63a468138b162d0a50306b5cfb80d84fe7926", "title": "Distribution of SmokeLoader Targeting Ukrainian Government and Companies - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1925556, "plain_text": "Distribution of SmokeLoader Targeting Ukrainian Government\r\nand Companies - ASEC\r\nBy ATCP\r\nPublished: 2024-01-15 · Archived: 2026-04-05 20:03:07 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) discovered that multiple SmokeLoader malware are being\r\ndistributed to the Ukrainian government and companies. It seems that the number of attacks targeting Ukraine has\r\nincreased recently. The targets confirmed so far include the Ukrainian Department of Justice, public institutions,\r\ninsurance companies, medical institutions, construction companies, and manufacturing companies. The distributed\r\nemail follows the format shown in Figure 1 written in Ukrainian. The body included information related to an\r\ninvoice, prompting the reader to execute the attached file. \r\nhttps://asec.ahnlab.com/en/60703/\r\nPage 1 of 4\n\nThe attached file is a compressed file (7z) with another compressed file (ZIP) inside. Within this compressed file,\r\nan EXE file in an SFX format and SmokeLoader disguised with a PDF extension are found. \r\nSmokeLoader has its extension set as a PDF, so it fails to run properly when the user clicks on the file to execute.\r\nThe file is executed by the SFX that is also inside the compressed file. The overall process can be seen in Figure\r\nhttps://asec.ahnlab.com/en/60703/\r\nPage 2 of 4\n\n4. \r\nFirst, the SFX file creates and executes the PDF and BAT files. The PDF is just a bait file used to deceive the user,\r\nand the BAT file uses the command below to execute SmokeLoader. \r\nBAT command start = pax0001782.pdf\r\nSmokeLoader is a downloader malware, and it can download additional modules or malware by receiving\r\ncommands after connecting to the C\u0026C server. When executed, it injects into the explorer.exe, and the malicious\r\nactivity is carried out through the following process. First, it duplicates itself as “ewuabsi” in the %AppData%\r\npath, where it hides itself and grants system file properties. Then, it attempts to connect to the C\u0026C servers listed\r\nbelow, where Lockbit ransomware and various other malware can be additionally downloaded. •\r\nhttps://asec.ahnlab.com/en/60703/\r\nPage 3 of 4\n\nhxxp://lumangilocino[.]ru/index.php • hxxp://limanopostserver[.]ru/index.php •\r\nhxxp://numbilonautoparts[.]ru/index.php • hxxp://specvestniknuk[.]ru/index.php •\r\nhxxp://agropromnubilon[.]ru/index.php • hxxp://specvigoslik[.]ru/index.php •\r\nhxxp://avicilombio[.]ru/index.php • hxxp://germagosuplos[.]ru/index.php •\r\nhxxp://niconicalucans[.]ru/index.php • hxxp://civilomicanko[.]ru/index.php [File Detection]\r\nTrojan/Win.FakePDF.R626460 (2023.12.03.02) Dropper/Win.DropperX-gen.R630443 (2024.01.05.01) [Behavior\r\nDetection] Malware/MDP.Execute.M1567 \r\nMD5\r\n7ccf5bb03e59b8c92ad756862ecb96fd\r\n852ce0cea28e2b7c4deb4e443d38595a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//agropromnubilon[.]ru/index[.]php\r\nhttp[:]//avicilombio[.]ru/index[.]php\r\nhttp[:]//civilomicanko[.]ru/index[.]php\r\nhttp[:]//germagosuplos[.]ru/index[.]php\r\nhttp[:]//limanopostserver[.]ru/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/60703/\r\nhttps://asec.ahnlab.com/en/60703/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/60703/" ], "report_names": [ "60703" ], "threat_actors": [], "ts_created_at": 1775434206, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82e63a468138b162d0a50306b5cfb80d84fe7926.pdf", "text": "https://archive.orkl.eu/82e63a468138b162d0a50306b5cfb80d84fe7926.txt", "img": "https://archive.orkl.eu/82e63a468138b162d0a50306b5cfb80d84fe7926.jpg" } }