SmokeLoader Employs Optional Plugins to Steal Data and Launch DoS Attacks

Active since 2011, SmokeLoader (also known as Smoke or Dofoil) has cemented its reputation as a versatile malware loader engineered to deliver second-stage payloads, including trojans, ransomware, and information stealers.

Over the years, it has evolved to evade detection and optimize payload delivery, extending its reach through an extensible plugin framework capable of credential harvesting, browser hijacking, cryptocurrency mining, and more.

Following Operation Endgame in May 2024—an international law enforcement and private-industry effort that eradicated many SmokeLoader instances—activity waned until early 2025, when Zscaler ThreatLabz discovered a new “2025 alpha” variant.

By July 2025, the malware’s author advertised an updated edition on a cybercriminal forum, and ThreatLabz soon identified a further variant, hereafter referred to as version 2025, distinguished by bug fixes and a modified network protocol

SmokeLoader’s primary function remains the reliable download and execution of secondary malware. Its modular design, however ...