#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

SmokeLoader | Breaking Cybersecurity News | The Hacker News

Category — SmokeLoader
Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections

Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections

Feb 04, 2025 Vulnerability / Cyber Espionage
A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web ( MotW ) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09 . "The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files," Trend Micro security researcher Peter Girnus said . It's suspected that CVE-2025-0411 was likely weaponized to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo-Ukrainian conflict. MotW is a security feature implemented by Microsoft in Windows to prevent the a...
SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan

SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan

Dec 02, 2024 Malware / Cryptocurrency
Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said in a report shared with The Hacker News. "While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its [command-and-control] server." SmokeLoader , a malware downloader first advertised in cybercrime forums in 2011, is chiefly designed to execute secondary payloads. Additionally, it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency. "SmokeLoader detects analysis environments, generates fake network t...
Watch Out For These 8 Cloud Security Shifts in 2025

Watch Out For These 8 Cloud Security Shifts in 2025

Feb 04, 2025Threat Detection / Cloud Security
As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving realities, including the increasing reliance on cloud infrastructure for AI-driven workflows and the vast quantities of data being migrated to the cloud. But there are other developments that could impact your organizations and drive the need for an even more robust security strategy. Let's take a look… #1: Increased Threat Landscape Encourages Market Consolidation Cyberattacks targeting cloud environments are becoming more sophisticated, emphasizing the need for security solutions that go beyond detection. Organizations will need proactive defense mechanisms to prevent risks from reaching production. Because of this need, the market will favor vendors offering comprehensive, end-to-end security platforms that streamline risk mitigation and enhance operational efficiency. #2: Cloud Security Unifies with SOC Priorities Security operations centers (SOC) and cloud security functions are c...
New BunnyLoader Malware Variant Surfaces with Modular Attack Features

New BunnyLoader Malware Variant Surfaces with Modular Attack Features

Mar 20, 2024 Cybercrime / Financial Security
Cybersecurity researchers have discovered an updated variant of a stealer and malware loader called  BunnyLoader  that modularizes its various functions as well as allow it to evade detection. "BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims," Palo Alto Networks Unit 42  said  in a report published last week. The new version, dubbed BunnyLoader 3.0, was announced by its developer named Player (or Player_Bunny) on February 11, 2024, with rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities. BunnyLoader was  first documented  by Zscaler ThreatLabz in September 2023, describing it as a malware-as-a-service (MaaS) designed to harvest credentials and facilitate cryptocurrency theft. It was initially offered on a subscription basis for $250 per month. The malware has since undergone frequent upd...
cyber security

Webinar: 5 Ways New AI Agents Can Automate Identity Attacks | Register Now

websitePush SecurityAI Agents / Identity Security
Watch how Computer-Using Agents can be used by attackers to automate account takeover and exploitation.
DJVU Ransomware's Latest Variant 'Xaro' Disguised as Cracked Software

DJVU Ransomware's Latest Variant 'Xaro' Disguised as Cracked Software

Nov 29, 2023 Ransomware / Cyber Threat
A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," Cybereason security researcher Ralph Villanueva  said . The new variant has been codenamed Xaro by the American cybersecurity firm. DJVU, in itself, is a  variant of the STOP ransomware , typically arrives on the scene masquerading as legitimate services or applications. It's also delivered as a payload of  SmokeLoader . A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature. In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a...
New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

Aug 24, 2023 Malware / Privacy
The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called  Whiffy Recon  on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU)  said  in a statement shared with The Hacker News. "The location returned by Google's  Geolocation API  is then sent back to the adversary." SmokeLoader , as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been  offered for sale  to Russian-based threat actors. It's traditionally distributed via phishing emails. Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that th...
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine

CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine

May 08, 2023 Cyber Attack / Data Safety
An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA). The emails, per the  agency , are sent using compromised accounts and come with a ZIP archive that, in reality, is a  polyglot file  containing a decoy document and a JavaScript file. The JavaScript code is then used to launch an executable that paves for the execution of the  SmokeLoader malware . SmokeLoader, first detected in 2011, is a  loader  whose main objective is to download or load a stealthier or more effective malware onto infected systems. CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers. In a related advisory, Ukraine's cybersecurity authority also revealed details of...
Cybersecurity Experts Uncover Inner Workings of Destructive Azov Ransomware

Cybersecurity Experts Uncover Inner Workings of Destructive Azov Ransomware

Dec 13, 2022 Data Security / Endpoint Security
Cybersecurity researchers have published the inner workings of a new wiper called  Azov Ransomware  that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems. Distributed through another malware loader known as  SmokeLoader , the malware has been  described  as an "effective, fast, and unfortunately unrecoverable data wiper," by Israeli cybersecurity company Check Point. Its origins have yet to be determined. The wiper routine is set to overwrite a file's contents in alternating 666-byte chunks with random noise, a technique referred to as  intermittent encryption  that's being increasingly leveraged by ransomware operators to evade detection and encrypt victims' files faster. "One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code," threat researcher Jiří Vinopal said. "The modification of executables is...
New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader

New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader

Nov 08, 2022
Cryptocurrency users are being targeted with a new clipper malware strain dubbed  Laplas  by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other  commodity trojans  like  SystemBC  and  Raccoon Stealer 2.0 , according to an  analysis  from Cyble. Observed in the wild since circa 2013,  SmokeLoader  functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called  Amadey . Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment. Clippers, also called ClipBankers, fall under a category of malware that Microsoft calls  cryware , which are designed to steal crypto by keeping close tabs on a vic...
Expert Insights / Articles Videos
Cybersecurity Resources