{
	"id": "79e3b07f-68ac-44b7-a5ec-b80fe5644f37",
	"created_at": "2026-04-06T00:18:49.695044Z",
	"updated_at": "2026-04-10T03:21:18.422966Z",
	"deleted_at": null,
	"sha1_hash": "d0dddf032d0754bbc1f9ecf25ab9e16cd73aaa2e",
	"title": "Malware | Smoke Loader malware improves after Microsoft spoils its Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 541356,
	"plain_text": "Malware | Smoke Loader malware improves after Microsoft spoils\r\nits Campaign\r\nArchived: 2026-04-05 14:02:07 UTC\r\nIntroduction\r\nEarly this year, in March 2018, Microsoft’ Windows Defender Research Team in Redmond published some\r\ninteresting insights into a massive malware campaign distributing a dropper/loader called Smoke Loader (also\r\nknown as Dofoil). The main purpose of the documented campaign was to distribute a coin miner payload that is\r\nusing infected machines to mine crypto currencies. Within 12 hours, Windows Defender recorded more than\r\n400,000 instances, but could deploy appropriate countermeasures on computers running Windows within seconds.\r\nAs further analysis from Spamhaus Malware Labs revealed, these countermeasures did not stay unattended by the\r\nmalware authors behind Smoke Loader.\r\nApparently, as a reaction on Microsoft’ countermeasures, the malware authors behind Smoke Loader made some\r\nsignificant code changes in order to bypass Windows Defender and other Antivirus software. These code changes\r\ninclude:\r\nChange in the infection techniques\r\nIntroduction of 64bit payload\r\nAnti-VM and Anti-Analysis techniques in the packer\r\nWhat stares out with Smoke Loader is that the packer and the main executable (unpacked payload) is related to\r\neach other. It is necessary for the unpacked payload to be loaded by the packer in order to run. In addition, the\r\nunpacked code checks for certain markers created by the packer in order to run. When Smoke Loader gets\r\nexecuted in a sandbox (for example a virtual environment), the sample fails to start. The reason for this are Anti-VM and Anti-Analysis techniques that Smoke Loader implemented in the code recently. An initial examination\r\nunder IDA reveals that the code is obfuscated with jump chains whose sole purpose is to make the static analysis\r\nharder.\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 1 of 10\n\nRuntrace The code at line number 19 (0040295C Main CMP DWORD PTR DS:[EAX+A4],) reveals that Smoke\r\nLoader checks the version of the operating system in PEB structure. In case the operating system where the\r\nmalware sample gets executed on is less than version 6 (Windows NT 6, which equals to Windows Vista), the\r\nmalware sample immediately stop the execution. In addition, there are a handful other checks based on debugging\r\nflags, which can be traced back using the same tracing technique.\r\nFurthermore, the recent Smoke Loader version also overwrites some of its own code section with new instruction\r\nthat do also contain anti-analysis code and code related to packer loading.\r\nA call trace helps to determine the functionality of that modified mode as shown below.\r\nAnti-VM checks The code snipped shown above show code that checks for certain signs of a virtual environment,\r\nfor example the presence of certain drivers of VirtualBox or certain strings that would trace the environment\r\nwhere the malware sample gets executed to Qemu.\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 2 of 10\n\nIn previous versions, Smoke Loader would create a hollow process and then inject the unpacked code into it.\r\nHowever, after Microsoft spoiled the massive Smoke Loader campaign in March 2018, the most recent version of\r\nSmoke Loader injects itself into a running instance of Windows Explorer (explorer.exe) instead of creating a\r\nhollow process. The injection is now based on the same technique as used by PowerLoader, which uses\r\nSendNotifyMessage for code injection. Also, while previous versions of Smoke Loader were using 32bit code, the\r\nmost recent version of Smoke Loader contains 64bit code in order to inject itself into explorer.exe on computers\r\nthat are running a 64bit operating system.\r\nSmoke Loader injecting into explorer.exe The following code change highlights that the final payload is supposed\r\nto be run as thread instead of a separate process.\r\nPrevious version (process based)\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 3 of 10\n\nRecent version (thread based) The packer creates a shared file map which contains various information on the\r\ninitial infection, such as the packed binary. This file map is later being used by the executing thread.\r\nShared file map The name of the shared file map is generated from VolumeSerialNumber of root drive of the\r\ninfected machine. This shared file map can be used as an indicator of compromise (IOC).\r\nAdditional changes in the code\r\nWhile the previously string encoding algorithm used by Smoke Loader was based on xor, the most recent version\r\nincludes an RC4 based string encryption as highlighted on the screenshot above.\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 4 of 10\n\nRC4 based string decryption The following IDA python script can help with static decoding of Smoke Loader:\r\ndownload\r\nIn earlier versions of Smoke Loader, the botnet controller domain names (C\u0026C) were encoded using an algorithm\r\nthat was based on a simple xor subtraction:\r\ndef Decodec2(data):\r\n XorKey = struct.unpack(\"\u003cB\", data[0])[0]\r\n dst = array.array(\"B\")\r\n base = data[5:]\r\n PackLen = struct.unpack(\"\u003cB\", data[4])[0]\r\n print PackLen\r\n for i in range(0, PackLen - 1, 2):\r\n #print chr( ( ( ord (base[i]) ^ XorKey) \u0026 0xff) - ((ord(base[i + 1] ) ^ XorKey) \u0026 0xff) \u0026 0xff ),\r\n dst.append(( ( ord (base[i]) ^ XorKey) \u0026 0xff) - ((ord(base[i + 1] ) ^ XorKey) \u0026 0xff) \u0026 0xff )\r\n return dst.tostring()\r\nThe most recent version of Smoke Loader has been modified by the authors to make use of a more complex\r\nencoding scheme which is based on multiple operations:\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 5 of 10\n\ndef swap32(x):\r\n return (((x \u003c\u003c 24) \u0026 0xFF000000) |\r\n ((x \u003c\u003c 8) \u0026 0x00FF0000) |\r\n ((x \u003e\u003e 8) \u0026 0x0000FF00) |\r\n ((x \u003e\u003e 24) \u0026 0x000000FF))\r\ndef Decodec2(buf):\r\n BufLen = struct.unpack(\"\u003cB\", buf[0])[0]\r\n print \"[] Buf len = %d\" % BufLen\r\n XORDword = struct.unpack(\"\u003cI\", buf[BufLen + 1 : BufLen + 1 + 4])[0]\r\n print \"[] XorDword is %d\" % XORDword\r\n XORDword = swap32(XORDword)\r\n print hex(XORDword)\r\n x = 0\r\n dst = array.array(\"B\")\r\n for i in buf[1:BufLen + 1]:\r\n x = ord(i)\r\n x = x ^ (XORDword \u0026 0xff)\r\n \r\n XORDword = (XORDword \u003e\u003e 8 )\r\n x = x ^ (XORDword \u0026 0xff)\r\n XORDword = (XORDword \u003e\u003e 8 )\r\n x = x ^ (XORDword \u0026 0xff)\r\n \r\n XORDword = (XORDword \u003e\u003e 8 )\r\n x = x ^ (XORDword \u0026 0xff)\r\n \r\n x = x - (1 \u003c\u003c 8)\r\n x = -x \u0026 0xff\r\n print chr(x- 1),\r\n dst.append ((x-1))\r\n XORDword = swap32(struct.unpack(\"\u003cI\", buf[BufLen + 1 : BufLen + 1 + 4])[0])\r\n return dst.tostring()\r\nAn HTTP request from Smoke Loader to the botnet controller (C\u0026C server) consists of some internals constants\r\nas well as system information from the infected machine. The request is formatted as shown below.\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 6 of 10\n\nC2 packet format The HTTP response from the botnet controller (C\u0026C server) is typically an RC4 encrypted\r\npayload that can include multiple, so called “plugins” (such as the coin miner mentioned by the Windows\r\nDefender Team). The RC4 encrypted payload also includes one of the following commands:\r\ni - Download a file from http location field from using command ID 102\r\nr - Uninstall Dofoil from system ( followed by ack packet using command ID 114)\r\nu - Update dofoil ( download from http location field updated binary )\r\nBased on way Smoke Loader calculates the mutex name an infected machine, we can create a vaccine to prevent\r\nSmoke Loader from infecting a machine:\r\n#define WIN32_LEAN_AND_MEAN\r\n#include \u003cwindows.h\u003e\r\n#include \u003cwincrypt.h\u003e\r\nvoid MD5(BYTE* data, ULONG len, unsigned char *out)\r\n{\r\nHCRYPTPROV hProv = 0;\r\nHCRYPTPROV hHash = 0;\r\nBYTE rgbHash[16]= {0};\r\nDWORD cbHash = 16;\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 7 of 10\n\nchar hash[3] = {0};\r\nint i = 0;\r\nCryptAcquireContext(\u0026hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);\r\nCryptCreateHash(hProv, CALG_MD5, 0, 0, \u0026hHash);\r\nCryptHashData(hHash, data, len, 0);\r\nCryptGetHashParam(hHash, HP_HASHVAL, rgbHash, \u0026cbHash, 0);\r\nfor (i = 0 ; i \u003c 16; i++)\r\n{\r\nsprintf(hash, \"%.2X\", rgbHash[i]);\r\nstrcat(out, hash);\r\n}\r\nCryptDestroyHash(hHash);\r\nCryptReleaseContext(hProv, 0);\r\n}\r\nint main(int argc, char **argv)\r\n{\r\nunsigned char *Source = (unsigned char *) malloc(sizeof(char) * 265);\r\nunsigned char *md5Sum = (unsigned char *) malloc(sizeof(char) * 34);\r\nDWORD lpVolumeSerialNumber = 0;\r\nunsigned char *FtString = (unsigned char *) malloc(sizeof(char) * 34);\r\nint ComNameSize = 16;\r\nchar CompName[MAX_COMPUTERNAME_LENGTH + 0x10] = {0};\r\nmemset(md5Sum, 0x00, 34);\r\nmemset(FtString, 0x00, 34);\r\nmemset(Source, 0x00, 265);\r\nGetComputerName(CompName,\u0026ComNameSize);\r\nGetSystemDirectoryA(Source, 260);\r\nSource[3] = 0x00;\r\nGetVolumeInformationA(Source, 0, 0, \u0026lpVolumeSerialNumber, 0, 0, 0, 0);\r\nsprintf(FtString, \"%s%08X%08X\", CompName, 0xFEE7D621, lpVolumeSerialNumber);\r\nMD5(FtString, strlen(FtString), md5Sum);\r\nsprintf(md5Sum, \"%s%08X\", md5Sum, lpVolumeSerialNumber);\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 8 of 10\n\nprintf(\"%s\", md5Sum);\r\nCreateMutex(0,0,md5Sum);\r\nwhile(1) Sleep(0x1000);\r\n}\r\nDuring the binary code analysis, Spamhaus Malware Labs found some sections in the code that are obviously\r\nbeing used by the author of Smoke Loader for debug purpose. This proves that Smoke Loader is still under heavy\r\ndevelopment of its authors and is constantly evolving.\r\nDebug variables\r\nConclusion\r\nSince late 2017, Spamhaus Malware Labs could identify more than 8,000 smoke loader malware samples which\r\ncall out to over 1,000 unique botnet controllers (C\u0026C servers). In addition, to the latest code changes made by the\r\nauthors of Smoke Loader in response to the countermeasures by Windows Defender, we do also see a trend in\r\ncertain Smoke Loader campaigns that are shifting away from the official TLDs over to decentralized TLDs\r\n(dTLDs) such as Namecoins .bit. By using decentralized TLDs for botnet C\u0026C hosting, botnet operators try to\r\nmake their botnet C\u0026C infrastructure more resilient against takedown attempts by security researchers and law\r\nenforcement agencies (LEA).\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 9 of 10\n\nSpamhaus Malware Labs continues to follow the further development of Smoke Loader and takes the appropriate\r\nactions to protect Spamhaus users from this threat.\r\nFurther reading\r\nMicrosoft Secure: Behavior monitoring combined with machine learning spoils a massive Dofoil coin\r\nmining campaign\r\nMicrosoft Secure: Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak\r\nMicrosoft Secure: Hunting down Dofoil with Windows Defender ATP\r\nabuse.ch: .bit - The next Generation of Bulletproof Hosting\r\nSpamhaus Botnet Threat Report 2017\r\nSource: https://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nhttps://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign"
	],
	"report_names": [
		"smoke-loader-malware-improves-after-microsoft-spoils-its-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434729,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0dddf032d0754bbc1f9ecf25ab9e16cd73aaa2e.pdf",
		"text": "https://archive.orkl.eu/d0dddf032d0754bbc1f9ecf25ab9e16cd73aaa2e.txt",
		"img": "https://archive.orkl.eu/d0dddf032d0754bbc1f9ecf25ab9e16cd73aaa2e.jpg"
	}
}