Technical Analysis of SmokeLoader Version 2025
Sept. 16, 2025, 9:43 a.m.
Description
SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, modified mutex name generation, and updates to the main module. The network protocol has been slightly adjusted in version 2025, and the scheduled task name for persistence has been updated. These versions fix performance issues and include additional anti-analysis measures. Despite efforts to dismantle it, SmokeLoader continues to evolve and is used by multiple threat groups.
Tags
Date
- Created: Sept. 16, 2025, 8:02 a.m.
- Published: Sept. 16, 2025, 8:02 a.m.
- Modified: Sept. 16, 2025, 9:43 a.m.
Indicators
- 413325dfeddf2287f86ca9998c1f6be2942145a647a14f1bfe1390e738adae61
- d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
- 0b06c6a25000addde175277b2d157d5bca4ab95cbfe3d984f1dba2ecefa3a4cd
- fe18dba2d72ccf4a907d07674b18d1bc23e3ea10f66cbf2a79e73000df43b358
- d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30
- d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
- c78bc4fb8955940b3ac9b52cb16744a61f8bdaf673fd64fc106465241c56cc6c
- 7377efde4e4e86650ab8495f57ab4a76d4f8efe31e2962305b8c42a6cee70454
- 5727c2cd54b8408ca0f8e943cad61027a2c3d51da64f2f1224a6b9acc4820f8e
- 32ba1f3b96cf77a08c041d4983d6afa7db8e1948d27d6a8dd55b7bb95e493189
- 178.16.53.7
- 176.46.152.46
- https://ownmbaego.com/index.php
- http://udlg.nl/tmp/
- http://solanges.info/tmp/
- http://ownmbaego.com/index.php
- http://es-koerier.nl/tmp/
- http://e-bonds.ru/tmp/
- http://dfbdw3tyge.info/tmp/
- http://disciply.nl/tmp/
- http://dfbdw3tyge.info/tmp
- http://cobyrose.com/tmp/
- http://cusnick.com/tmp/
- http://ardt.info/tmp/
Additional Informations
- Ukraine
- Russian Federation