Keypoints
- Unit 42 and Ukraine’s SCPC SSSCIP collaborated to analyze Smoke Loader campaigns observed in Ukraine between May and December 2023.
- The joint report documents 23 waves of email-based attacks and web-based delivery methods used to distribute Smoke Loader.
- Primary delivery vectors included phishing emails and web exploit kits (e.g., Rig Exploit Kit); Smoke Loader has also been observed delivered as a payload by other malware like Glupteba.
- Smoke Loader functions as a loader/backdoor that downloads secondary malware and has information-stealing capabilities used to facilitate financial theft.
- UAC-0006 is the CERT-UA designation for the group using Smoke Loader in campaigns that targeted Ukrainian financial and government organizations.
- CERT-UA and SCPC reporting indicate significant financial impact, including attempts to steal tens of millions of hryvnias and an average potential loss estimate per week.
- The SCPC SSSCIP report and accompanying PDF provide technical analysis and indicators of compromise (IOCs) for detection and mitigation.
MITRE Techniques
- [T1566] Phishing – Used to deliver Smoke Loader via malicious emails. Quote: [‘attacks using this malware against Ukraine have been detected in malicious emails from phishing campaigns.’]
- [T1189] Drive-by Compromise – Web-based vectors delivered Smoke Loader (e.g., exploit kits). Quote: [‘it has appeared as a payload from web-based vectors like Rig Exploit Kit’]
- [T1105] Ingress Tool Transfer – Smoke Loader downloads secondary malware/payloads to the victim. Quote: [‘UAC-0006 uses Smoke Loader to download other malware’]
Indicators of Compromise
- [Domain] Report and research hosts – scpc.gov.ua, unit42.paloaltonetworks.com
- [File/URL] SCPC report PDF and sample archive – https://scpc.gov.ua/api/files/8e300d33-6257-4d7f-8f72-457224268343 and the Unit 42 article URL
Smoke Loader (also known as Dofoil/Sharik) is a Windows loader/backdoor observed in 23 waves of campaigns in Ukraine from May–December 2023. Adversaries distributed Smoke Loader primarily via phishing emails and via web-based vectors such as the Rig Exploit Kit; it has also been observed delivered as a payload by other malware families (for example, Glupteba). Once executed, Smoke Loader acts as a downloader/backdoor that pulls down secondary payloads and information-stealing components used to facilitate fraud and theft.
The CERT-UA–designated group UAC-0006 used Smoke Loader to deploy follow-on malware targeting financial and government organizations, with reporting indicating attempts to steal large sums (tens of millions of hryvnias across observed campaigns). Unit 42 and SCPC SSSCIP provide detailed technical analysis, campaign timelines, and IOCs in their joint report and accompanying PDF to support detection and incident response.
Security teams should consult the SCPC SSSCIP report for full indicators, sample details, and mitigation guidance related to the observed Smoke Loader campaigns.
Read more: https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/