Since its emergence on cybercriminal forums in 2011, SmokeLoader has transformed into a highly adaptable malware loader, capable of deploying a wide array of secondary payloads such as trojans, ransomware, and credential stealers. Following the disruption of numerous campaigns by Operation Endgame in mid-2024, SmokeLoader resurfaced in early 2025 with two distinct versions: 2025 alpha and 2025. These iterations address previous performance issues, bolster evasion techniques, and expand the plugin framework, enabling a diverse range of malicious activities.
Zscaler researchers have observed that these updates allow SmokeLoader to operate more stealthily and efficiently on compromised systems. Initially, SmokeLoader’s primary function was to inject its main module into Windows Explorer for persistent execution and communication with command-and-control (C2) servers. The stager responsible for this injection previously lacked proper checks, leading to repeated injections at ten-minute intervals and causing significant performance degradation.
In the 2025 alpha version, a mutex check was introduced in the stager to prevent repeated injections. This mutex generation algorithm derives a random lowercase string based on the first four bytes of the bot ID, conserving system resources by avoiding redundant processes.
Beyond improving loader stability, SmokeLoader’s plugin framework has matured significantly. Operators can now deploy optional modules that harvest browser credentials, hijack sessions, perform distributed denial-of-service (DoS) attacks, and mine cryptocurrency. Each plugin is delivered as a second-stage payload, activated based on configuration flags received from the C2 server. This flexibility allows threat actors to tailor payloads to specific objectives, ranging from data exfiltration in targeted espionage to volumetric DoS attacks in extortion campaigns.
Infection Mechanism and Persistence
SmokeLoader’s infection chain typically begins with a reconnaissance email or exploit kit that delivers the stager as a shellcode-packed executable. Upon execution, the stager resolves Windows API dependencies by hash, decrypts code blocks with a hardcoded offset, and injects the main module into the explorer.exe process using 64-bit shellcode.
Once inside explorer.exe, the main module creates a scheduled task for persistence, now named MicrosoftEdgeUpdateTaskMachine%hs, where the placeholder is the first 16 characters of the bot ID. This contrasts with earlier variants that used Firefox Default Browser Agent %hs, indicating an attempt to masquerade as legitimate update services.
After establishing persistence, the main module generates the same mutex to avoid duplicate execution and begins beaconing to C2 servers using an updated protocol that includes a four-byte CRC32 checksum. This checksum is calculated over the payload starting at offset six, ensuring integrity and complicating simplistic network detections.
The response handling has also evolved: the initial four-byte command length field is now XOR-obfuscated with the RC4 key, complicating static signature matching. Throughout this process, SmokeLoader’s network communications consistently mimic legitimate browser user agents and TLS handshakes, further blending malicious traffic with normal web browsing.
By integrating both stager and main-module enhancements along with versatile plugins, SmokeLoader remains a potent threat for data theft and DoS operations under a single, adaptable framework.
