SmokeLoader Rises From the Ashes www.zscaler.com/blogs/sec…

Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader’s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more.

In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. These actions suppressed SmokeLoader activity following the takedown. However, in early 2025, ThreatLabz identified a new version of SmokeLoader that included bug fixes and other improvements.