{ "id": "5b14ea31-e718-4aba-804a-fbcbde31553b", "created_at": "2026-04-06T00:08:45.449379Z", "updated_at": "2026-04-10T03:37:26.6367Z", "deleted_at": null, "sha1_hash": "e6dc6c5c8aeed481d2b94d88911ba2206baefebd", "title": "Smoke Loader - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65268, "plain_text": "Smoke Loader - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 14:28:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Smoke Loader\n Tool: Smoke Loader\nNames\nSmoke Loader\nSmokeLoader\nSmoke\nDofoil\nSharik\nCategory Malware\nType Botnet, Downloader, Miner\nDescription\nThe SmokeLoader family is a generic backdoor with a range of capabilities which\ndepend on the modules included in any given build of the malware. The malware is\ndelivered in a variety of ways and is broadly associated with criminal activity. The\nmalware frequently tries to hide its C2 activity by generating requests to legitimate sites\nsuch as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download\nreturns an HTTP 404 but still contains data in the Response Body.\nSmokeLoader, in addition to being used to download standalone coinminers, is available\non underground markets with a built-in coinminer module for an additional fee.\nInformation\n\nmicrosoft-spoils-its-campaign\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 21 April 2025\nDownload this tool card in JSON format\nAll groups using tool Smoke Loader\nChanged Name Country Observed\nAPT groups\n TA530 [Unknown] 2016-Nov 2016\nOther groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c0fb51f1-5f2e-4efc-a59f-70ca9a5f0744\nPage 2 of 3\n\nBamboo Spider, TA544 [Unknown] 2016-Apr 2022\r\n  Smoky Spider [Unknown] 2011-Apr 2019\r\n  TA516 [Unknown] 2016-Feb 2020  \r\n4 groups listed (1 APT, 3 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c0fb51f1-5f2e-4efc-a59f-70ca9a5f0744\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c0fb51f1-5f2e-4efc-a59f-70ca9a5f0744\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c0fb51f1-5f2e-4efc-a59f-70ca9a5f0744" ], "report_names": [ "listgroups.cgi?u=c0fb51f1-5f2e-4efc-a59f-70ca9a5f0744" ], "threat_actors": [ { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b34a837-9f3f-4451-b8bf-adf424655df5", "created_at": "2023-01-06T13:46:39.310096Z", "updated_at": "2026-04-10T02:00:03.283332Z", "deleted_at": null, "main_name": "TA516", "aliases": [], "source_name": "MISPGALAXY:TA516", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf", "created_at": "2022-10-25T16:07:24.57632Z", "updated_at": "2026-04-10T02:00:05.038892Z", "deleted_at": null, "main_name": "TA516", "aliases": [ "SmokingDro" ], "source_name": "ETDA:TA516", "tools": [ "AZORult", "AndroKINS", "Chthonic", "Dofoil", "PandaBanker", "PuffStealer", "Rultazo", "Sharik", "Smoke Loader", "SmokeLoader", "Zeus Panda", "ZeusPanda" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434125, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6dc6c5c8aeed481d2b94d88911ba2206baefebd.pdf", "text": "https://archive.orkl.eu/e6dc6c5c8aeed481d2b94d88911ba2206baefebd.txt", "img": "https://archive.orkl.eu/e6dc6c5c8aeed481d2b94d88911ba2206baefebd.jpg" } }