The Reveal Platform
Intel Name: Smokeloader rises from the ashes
Date of Scan: September 16, 2025
Impact: Medium
Summary: SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks. Recently, two new versions—2025 alpha and 2025—have emerged, actively used by multiple threat groups. These updates fix performance issues and include improvements to evade both static and behavioral detection, marking a significant evolution in the malware’s capabilities.
