Tag: smokeloader

10 Attack Reports | 0 Vulnerabilities

Attack reports

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.
powershell
ukraine
javascript
black basta
vbscript
smokeloader
uac-0006
carbanak
anunak
defense evasion
sha256
2025-02-10
fin7
uac0006
privatbank
bank
model
demo
Published: February 10, 2025
Downloadable IOCs: 62

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…
phishing
malware distribution
ukraine
banking
smokeloader
automotive
open directories
2025-02-07
financial lures
Published: February 7, 2025
Downloadable IOCs: 27

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

A malicious botnet called Socks5Systemz is operating a proxy service named PROXY.AM, utilizing over 85,000 compromised devices. The botnet, active since 2013, aims to turn infected systems into proxy exit nodes for cybercriminals seeking to obscure their attack sources. Initially boasting around 25…
botnet
amadey
cybercrime
smokeloader
proxy service
socks5systemz
2024-12-09
privateloader
exit nodes
hacked devices
proxy.am
Published: December 9, 2024
Downloadable IOCs: 2

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader
Published: December 3, 2024
Downloadable IOCs: 28

SmokeBuster Tool

ThreatLabz has developed SmokeBuster, a tool to detect, analyze, and remove SmokeLoader malware from infected systems. Despite Operation Endgame's disruption in May 2024, SmokeLoader continues to be used by threat groups. SmokeBuster supports various SmokeLoader versions and Windows systems, offeri…
windows
smokeloader
operation endgame
malware analysis
2024-10-31
thread manipulation
system performance
memory injection
dofoil
smokebuster
Published: October 31, 2024
Downloadable IOCs: 0

SmokeLoader Evolution Through The Years

This report provides an in-depth analysis of the evolution of SmokeLoader, a prominent malware downloader that has been active since 2011. It examines the significant changes and improvements introduced in SmokeLoader versions from 2015 to 2022, including updates to its communication protocol, encr…
smokeloader
downloader
2024-07-03
Published: July 3, 2024
Downloadable IOCs: 11

Unfurling Hemlock: Threat group uses cluster bomb campaigns

A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing ad…
amadey
redline
smokeloader
2024-07-01
risepro
mystic stealer
cluster bomb
mass distribution
eastern european
stealers
Published: July 1, 2024
Downloadable IOCs: 55

Operation Endgame: Up In Smoke

A detailed technical analysis of Smoke malware loader, also known as SmokeLoader or Dofoil, which has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads like trojans, ransomware, and information stealers, and can also deploy custom plugins for various mali…
smokeloader
2024-05-30
operation endgame
Published: May 30, 2024
Downloadable IOCs: 12

Spring Exacerbation: UAC-0006 increased cyberattacks

This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
powershell
ukraine
2024-05-22
smokeloader
uac-0006
taleshot
Published: May 22, 2024
Downloadable IOCs: 31
Click here to see more Attack Reports