{
	"id": "dab33e03-92a6-4f02-b2de-93a0db2b53d4",
	"created_at": "2026-04-10T03:21:46.092306Z",
	"updated_at": "2026-04-10T03:22:18.878373Z",
	"deleted_at": null,
	"sha1_hash": "e2f9fae5758c5eda308b147329a481df0cbaee11",
	"title": "The 2019 Resurgence of Smokeloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86058,
	"plain_text": "The 2019 Resurgence of Smokeloader\r\nBy deugenio\r\nPublished: 2019-07-09 · Archived: 2026-04-10 03:13:55 UTC\r\nA View into New Nasty Tricks and Actor Activity\r\nResearch By: Israel Gubi\r\nBackground\r\nSmokeloader is a popular bot and a veteran in its field – being sold on underground cybercriminal markets since\r\n2011, this piece of malware is used mainly for loading other malicious software, usually obtained from a third\r\nparty. At the same time, it has the capability of loading its own modules, allowing it to conduct a variety of actions\r\nwithout the usage of external components. The seller of Smokeloader (which is known by the handle SmokeLdr)\r\nis active in providing this malware as a service to this date, and from what we can tell, restricts access to it to only\r\nRussian speaking users.\r\nOn the same note, we can tell that the author of Smokeloader has kept changing the malware throughout the years,\r\nand added multiple novel features to it. As an example, it was the only malware to incorporate the Propagate DLL\r\ninjection method at the time it was released as a PoC by researchers.\r\nAs a part of this constant renovation, we were able to spot another new version of the malware a couple of weeks\r\nago. This version employs new tricks for deception and self-protection, which we will outline in the upcoming\r\nsections. Additionally, we will give some insight into the activity of one of the actors that makes use of this recent\r\nversion and shed light on the campaigns it was involved in.\r\nUpdates from 2018’s Version\r\nNew anti-hooking and anti-VM methods\r\nSandboxes and other security solutions frequently use user-land hooking of ntdll functions, so as to trace all of the\r\nsystem calls invoked by an inspected sample (Cuckoo sandbox is just one example that employs this technique).\r\nOne of the main goals of a generic malware loader is to remain undetected by such products, and evade this type\r\nof monitoring.\r\nIn order to do so, Smokeloader first creates a new copy of ntdll.dll as a temporary file with a hardcoded name in\r\nthe %APPDATA%\\Local\\Temp directory and then loads it using LdrLoadDll. Following this, it resolves all the\r\nfunctions it requires for its own usage and invokes them from the new copy of ntdll in its memory.\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 1 of 12\n\n[Copying and loading ntdll.dll]\r\nConsidering that the monitoring hooks were set on the original ntdll module loaded by the operating system,\r\ninvoking the functions from the memory duplicate of it will not report the behaviour of the malware to a third\r\nparty security product, thus allowing Smokeloader to conduct code injection to explorer.exe that goes unnoticed. A\r\nsimilar evasion method was observed in usage by Hancitor, as previously outlined by MalwareBytes.\r\nMoreover, Smokeloader conducts checks to determine if it runs in a virtual machine by reading the values of the\r\nfollowing registry keys:\r\nSystem\\CurrentControlSet\\Services\\Disk\\Enum\\IDE\r\nSystem\\CurrentControlSet\\Services\\Disk\\Enum\\SCSI\r\nIt would use the wcsstr function from the untraced ntdll copy to find an instance of the following substrings in the\r\nvalues of the keys above: qemu, virtio, vmware vbox or xen, and in the presence of either one would terminate its\r\nown execution.\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 2 of 12\n\n[Calling wcsstr from the copied ntdll.dll file]\r\nNew Anti-Debug Method\r\nIn addition to the anti-debug checks used in the older version of Smokeloader, the author added another method,\r\nwhich is rather well known. He made the malware call the API function NtQueryInformationProcess from the\r\ncopy of ntdll, with an information class argument called ProcessDebugPort. The result provided by the function\r\nindicates if the debug port is used in the malware’s process, i.e. a debugger is attached to it. In the case that a non-null value is retrieved by this function, Smokeloader determines that it is indeed run by a debugger (and likely by\r\na researcher), hence aborts its execution.\r\n                                       [NtQueryInformationProcess checking for ProcessDebugPort information]\r\nChanged URL Decode Method\r\nSmokeloader’s C2 domains are encoded using an algorithm based on a custom sequence of arithmetic-logic\r\noperations.\r\nIn the new version, the malware authors changed the method by modifying a single instruction in the sequence,\r\nreplacing a ‘not’ operation with a ‘xor 0xe4’. This single modification causes failure to automatic tools intended to\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 3 of 12\n\nextract the configuration of Smokeloader that relied on the old sequence for this purpose.\r\n                                           [The changed Url decryption method – by one instruction]\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 4 of 12\n\nChanged Connection Method\r\nSmokeloader uses a particular struct (which we’ll refer to as the connection struct) for the purpose of conveying\r\ninformation on the victim machine to the attacker. This struct has remained mostly the same in the latest version,\r\nexcept for 2 changes:\r\n1. The magic value (2 bytes at the very beginning of it that identify the start of a message sent to the C\u0026C)\r\nhas now changed to 0x7e3(2019) from 0x7e2(2018), suggesting that the latest version was released this\r\nyear.\r\n2. The malware concatenates a random-size buffer (of at least 0x1f bytes) with random data to the connection\r\nstruct, which is likely done in order to make it harder to uniquely sign its communication and avoid its\r\ninterception by IDS/IPS products.\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 5 of 12\n\n[Changed magic value in the new version of Smokeloader]\r\nNew Persistence Methods\r\nAs part of Smokeloader’s behaviour, it generates a unique ID for each victim machine, which is based on\r\nconcatenation of the computer name, a hard coded static number (that differs between campaigns) and the volume\r\nserial number of the system drive. The ID is then generated as an MD5 hash of the concatenated string and\r\nappended again with the MD5 of the volume serial number.\r\nThe malware uses this unique ID for several purposes, namely creating random file names for 2 dropped files –\r\nthe first is a copy of Smokeloader’s executable, and the second is an lnk which is invoked as a scheduled task. The\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 6 of 12\n\nlatter is used just to run the former, thus allowing the malware to persist on the machine after reboot using this pair\r\nof files.\r\nIn older versions, the random name of the copied malware executable was based on the last eight characters of the\r\nID described above. Those were all dependent on the volume serial number and would create the same file artifact\r\nfor a single machine. In the new version, however, the name is generated from seven letters starting from the 30th\r\nletter, allowing it to also depend on the hardcoded static value. As a result, samples with different hardcoded\r\nvalues will generate different file names on the same machine, allowing the malware to be less detectable by AV\r\nproducts.\r\nIn addition to the above, a few other modifications to persistence mechanisms were witnessed in the new version.\r\nOne of them is the creation of the aforementioned lnk file in the %startup% folder with the name “Opera\r\nScheduled Autoupdate \u003crandom_number\u003e“. The name of the scheduled task that invokes it is\r\n“NvNgxUpdateCheckDaily_{%08X-%04X-%04X-%04X-%08X%04X}” (the hex values are hardcoded in the\r\nbinary) and the task executed via the lnk runs the following script embedded in it:\r\n“\u003c?xml version=”1.0″?\u003e\u003cscriptlet\u003e\u003cregistration classid=”{00000000-0000-0000-0000-00000000%04X}”\u003e\r\n\u003cscript language=”jscript”\u003e\u003c!\r\n[CDATA[GetObject(“winmgmts:Win32_Process”).Create(“%ls”,null,null,null);]]\u003e\u003c/script\u003e\u003c/registration\u003e\r\n\u003c/scriptlet\u003e“\r\nApart from this, there is a change in the way scheduled task is created, which is now registered only when the\r\nexplorer.exe process receives a WM_QUERYENDSESSION or WM_ENDSESSION window message. This\r\nallows the malware to conduct task scheduling only when the computer is turned off (which is when the window\r\nmessages are received). Once again, this technique provides Smokeloader with the ability to evade AV solutions\r\nand remain under the radar. To better understand how this works you may reference the explanation given here.\r\nThe Actor Leveraging the New Smokeloader Variant\r\nThe sample we analyzed is utilized in part by an actor that is using Smokeloader for a long time.\r\nThe payload provided by our sample is using Smokloader’s FakeDNS and DDoS plugins to attack trezor.io (the\r\nsite of a cryptocurrency hardware wallet product). The former causes the redirection of the site on a victim’s host\r\nto the IP 31.210.170[.]195, which seems to look like a fake website mimicking the original trezor.io.\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 7 of 12\n\n[Trezor fake website main page]\r\nOther than that, the new variant of Smokeloader is downloading one more malware from the url:\r\nfileboard[.]live/upd.exe.\r\nThis downloaded payload (D83F3025BA5B41775423A456BC4C19EF) turns out to be the Azorult infostealer,\r\nwhich in turn communicates to a URL under the same domain – fileboard[.]live/index.php.\r\nThe campaign described above is connected to an actor we previously witnessed using Smokeloader, which was\r\ninvolved in several notorious campaigns. Those included a mass campaign spreading Amadey Loader\r\n(8b1b2dee404f274e90bd87ff6983d2162abee16c4d9868a10b802bd9bcbdbec6), the AveMaria info stealer\r\n(88c47899f49dd25e5799fdcf892b990320c645475b612ac5324e635e2acf89dd) and most interestingly ServHelper\r\n– a backdoor vastly used by TA505 (20dd61fae49972323bb9c38a46ca4c93). The latter may suggest that in reality,\r\nthe actor using this new variant is in fact TA505.\r\nOur attribution to this actor is based on three clues that we were able to obtain from investigating the current\r\ncampaign:\r\n1. Usage of a similar format for C2 domain names – (e.g. protest-0124.tk vs. protest-01242505.tk in former\r\nactivities)\r\n2. Usage of the same RC4 keys for encrypting communication and decrypting headers – these keys are\r\n0xaf03e678 and 0x78821544.\r\n3. No presence of an advertisement for the new version of the malware in the underground forums in which it\r\nis sold. We believe this may indicate that so far the seller is distributing the new variant among known\r\nbuyers so as to test and evaluate its quality, before another stable release.\r\nWe will keep monitoring Smokeloader’s development and threat actor activity and intend to update on any new\r\nvariants of the malware as soon as they emerge in the wild.\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 8 of 12\n\nCheck Point protects against all variants of Smokeloader, both of previous versions and the one described in this\r\npublication.\r\nThe relevant protections carry the names Smokeloader.TC.* and Trojan-Downloader.Win32.Smokeloader.TC.*\r\nIOCs\r\nMD5s\r\n5FC6F24D43BC7CA45A81D159291955D1 – New Smokeloader variant\r\n20DD61FAE49972323BB9C38A46CA4C93 – ServHelper\r\nE7680155F86AEAC74B65DA38143F7E9F – Ave Maria Info Stealer\r\nAF93FD5C7810669D125EC9B0D6E28509 – Amadey Loader\r\nSmokeloader C2s:\r\n hxxp://protest-01242505[.]tk/\r\nhxxp://test-service012505[.]ru.com/\r\nhxxp://test-service012505[.]pw/\r\nhxxp://test-service012505[.]com/\r\nhxxp://test-service012505[.]site/\r\nhxxp://test-service012505[.]store/\r\nhxxp://test-service01242505[.]ru/\r\nhxxp://mytest-service012505[.]ru/\r\nhxxp://test-service012505[.]su/\r\nhxxp://test-service012505[.]info/\r\nhxxp://test-service012505[.]net/\r\nhxxp://test-service012505[.]tech/\r\nhxxp://test-service012505[.]online/\r\nhxxp://rutest-service012505[.]ru/\r\nhxxp://test-service01dom2505[.]ru/\r\nhxxp://test-service012505[.]website/\r\nhxxp://test-service012505[.]xyz/\r\nhxxp://test-service01pro2505[.]ru/\r\nhxxp://test-service01rus2505[.]ru/\r\nhxxp://test-service012505[.]eu/\r\nhxxp://test-service012505[.]press/\r\nhxxp://protest-service012505[.]ru/\r\nhxxp://rustest-service012505[.]ru/\r\nhxxp://test-service012505[.]net2505[.]ru/\r\nhxxp://test-service012505[.]space/\r\nhxxp://domtest-service012505[.]ru/\r\nhxxp://mirtest-service012505[.]ru/\r\nhxxp://test-service012505[.]org2505[.]ru/\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 9 of 12\n\nhxxp://test-service012505[.]pp2505[.]ru/\r\nhxxp://test-service012505[.]pro/\r\nhxxp://test-service012505[.]host/\r\nhxxp://test-service012505[.]fun/\r\nhxxp://mostest-service012505[.]ru/\r\nhxxp://toptest-service012505[.]ru/\r\nhxxp://alltest-service012505[.]ru/\r\nhxxp://vsetest-service012505[.]ru/\r\nhxxp://newtest-service012505[.]ru/\r\nhxxp://biotest-service012505[.]ru/\r\nhxxp://test-service01shop2505[.]ru/\r\nhxxp://test-service01info2505[.]ru/\r\nhxxp://test-service01plus2505[.]ru/\r\nhxxp://test-service01club2505[.]ru/\r\nhxxp://test-service01torg2505[.]ru/\r\nhxxp://test-service01land2505[.]ru/\r\nhxxp://test-service01life2505[.]ru/\r\nhxxp://test-service01blog2505[.]ru/\r\nhxxp://megatest-service012505[.]ru/\r\nhxxp://infotest-service012505[.]ru/\r\nhxxp://besttest-service012505[.]ru/\r\nhxxp://shoptest-service012505[.]ru/\r\nhxxp://kupitest-service012505[.]ru/\r\nhxxp://proftest-service012505[.]ru/\r\nhxxp://clubtest-service012505[.]ru/\r\nhxxp://mytest-service01242505[.]ru/\r\nhxxp://rutest-service01242505[.]ru/\r\nhxxp://test-service01stroy2505[.]ru/\r\nhxxp://test-service01forum2505[.]ru/\r\nhxxp://supertest-service012505[.]ru/\r\nhxxp://protest-service01242505[.]ru/\r\nhxxp://protest-01252505[.]ml/\r\nhxxp://protest-01262505[.]ga/\r\nhxxp://protest-01272505[.]cf/\r\nhxxp://protest-01282505[.]gq/\r\nhxxp://protest-01292505[.]com/\r\nhxxp://protest-01302505[.]net/\r\nhxxp://protest-01312505[.]org/\r\nhxxp://protest-01322505[.]biz/\r\nhxxp://protest-01332505[.]info/\r\nhxxp://protest-01342505[.]eu/\r\nhxxp://protest-01352505[.]nl/\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 10 of 12\n\nhxxp://protest-01362505[.]mobi/\r\nhxxp://protest-01372505[.]name/\r\nhxxp://protest-01382505[.]me/\r\nhxxp://protest-01392505[.]garden/\r\nhxxp://protest-01402505[.]art/\r\nhxxp://protest-01412505[.]band/\r\nhxxp://protest-01422505[.]bargains/\r\nhxxp://protest-01432505[.]bet/\r\nhxxp://protest-01442505[.]blue/\r\nhxxp://protest-01452505[.]business/\r\nhxxp://protest-01462505[.]casa/\r\nhxxp://protest-01472505[.]city/\r\nhxxp://protest-01482505[.]click/\r\nhxxp://protest-01492505[.]company/\r\nhxxp://protest-01502505[.]futbol/\r\nhxxp://protest-01512505[.]gallery/\r\nhxxp://protest-01522505[.]game/\r\nhxxp://protest-01532505[.]games/\r\nhxxp://protest-01542505[.]graphics/\r\nhxxp://protest-01552505[.]group/\r\nhxxp://protest-02252505[.]ml/\r\nhxxp://protest-02262505[.]ga/\r\nhxxp://protest-02272505[.]cf/\r\nhxxp://protest-02282505[.]gq/\r\nhxxp://protest-03252505[.]ml/\r\nhxxp://protest-03262505[.]ga/\r\nhxxp://protest-03272505[.]cf/\r\nhxxp://protest-03282505[.]gq/\r\nhxxp://protest-05242505[.]tk/\r\nhxxp://protest-06242505[.]tk/\r\nTrezor fake website:\r\n hxxp://31.210.170[.]195\r\nAZORult IOCs:\r\nhxxp://fileboard[.]live/index.php\r\nhxxp://fileboard[.]live/upd.exe\r\nSmokeloader DropZones:\r\nhxxp://vinomag.pw/nsis.exe\r\nhxxp://mypromo.online/parapara.exe\r\nhxxps://babolgum.icu/cobal.exe\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 11 of 12\n\nAmadey IOCs:\r\nskcalladhellormi.xyz\r\nAve Maria IOCs:\r\nhxxps://paste.ee/r/2zmfq/0\r\nServHelper IOCs:\r\nhxxp://esupdate.icu/js/s.php\r\nSource: https://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nhttps://research.checkpoint.com/2019-resurgence-of-smokeloader/\r\nPage 12 of 12\n\n https://research.checkpoint.com/2019-resurgence-of-smokeloader/   \nextract the configuration of Smokeloader that relied on the old sequence for this purpose.\n [The changed Url decryption method-by one instruction]\n   Page 4 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2019-resurgence-of-smokeloader/"
	],
	"report_names": [
		"2019-resurgence-of-smokeloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2f9fae5758c5eda308b147329a481df0cbaee11.pdf",
		"text": "https://archive.orkl.eu/e2f9fae5758c5eda308b147329a481df0cbaee11.txt",
		"img": "https://archive.orkl.eu/e2f9fae5758c5eda308b147329a481df0cbaee11.jpg"
	}
}