S0226: Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]
Analyst context for executives and security teams
Smoke Loader matters because it is a Windows malicious bot/downloader that can bring additional malware into an environment. For leaders, the risk is less about one named tool and more about whether the organization can quickly identify a foothold that uses deception, self-protection, persistence, web-based command-and-control, credential collection, and follow-on payload transfer.
Executive priority
Prioritize Smoke Loader as a resilience and incident-readiness test case: can the business detect and contain a Windows host that becomes a staging point for additional malware? Executive questions should focus on endpoint visibility, persistence monitoring, credential exposure from browsers/files, email data protection, and whether SOC/IR playbooks treat downloader activity as a potential precursor to broader compromise.
Technical view
ATT&CK provides no official detection text for S0226, so coverage should be validated through the related behaviors: encrypted or encoded files, deobfuscation, scheduled tasks, Registry Run Keys or Startup Folder persistence, process injection/process hollowing, Visual Basic execution, web protocol C2, ingress tool transfer, file and directory discovery, local email collection, credential access from files and browsers, and system checks used for sandbox or analysis avoidance. Because the software platform is Windows, validation should center on Windows endpoint, process, registry, task scheduler, file, browser credential store, email cache, and network telemetry.
Likely telemetry
- Windows process creation and parent/child process lineage
- Command-line and script execution telemetry, including Visual Basic-related execution where available
- Task Scheduler creation, modification, and execution events
- Registry Run Key and Startup Folder change events
- Endpoint memory/injection or suspicious process behavior alerts
Detection direction
- Do not rely on a single malware signature; validate behavior-based coverage across persistence, injection, web C2, and payload download patterns.
- Tune scheduled task and Run Key detections for newly created or unusual entries, while accounting for legitimate software updaters and administrative automation.
- Correlate process injection or process hollowing signals with suspicious network activity, decoded payload artifacts, or unexpected child processes to reduce false positives.
- Review whether encrypted/encoded files and deobfuscation events are visible before execution, not only after payload delivery.
- Validate visibility into credential-related file access, especially browser credential stores and locally stored credentials, because collection behaviors may be quiet and host-local.
Mitigation priorities
- Start with endpoint prevention and monitoring controls on Windows systems, especially for suspicious persistence, injection, scripting, and downloaded payload execution.
- Harden and monitor credential storage practices: reduce insecure credentials in files and limit exposure from browser-saved credentials where business processes allow.
- Restrict unnecessary script and automation abuse paths, while maintaining exceptions for approved administrative workflows.
- Improve egress monitoring for endpoint web-protocol traffic so unusual command-and-control or payload retrieval can be investigated quickly.
- Ensure IR playbooks treat downloader findings as potentially incomplete until follow-on payloads, credential access, persistence, and local collection are ruled out.
Analyst notes and limits
Smoke Loader is described by ATT&CK as a malicious bot application used to load other malware, observed since at least 2011, with deception, self-protection, and plug-ins. The most useful defensive value comes from the relationship set: it maps the malware to behaviors spanning execution, persistence, stealth, discovery, command-and-control, collection, and credential access.
ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for S0226 in the supplied fields. The relationship techniques describe relevant behaviors but do not prove every behavior will appear in every incident. Local endpoint, network, identity, and IR evidence is required to assess exposure or confirm activity.
Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Smoke Loader deobfuscates its code.CitationTalos Smoke Loader July 2018 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Smoke Loader searches for files named logins.json to parse for credentials.CitationTalos Smoke Loader July 2018 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).CitationTalos Smoke Loader July 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.CitationMalwarebytes SmokeLoader 2016 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Smoke Loader searches for credentials stored from web browsers.CitationTalos Smoke Loader July 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Smoke Loader uses HTTP for C2.CitationMalwarebytes SmokeLoader 2016 |
| Enterprise | T1497.001 | System Checks Sub-technique | Smoke Loader scans processes to perform anti-VM checks. CitationTalos Smoke Loader July 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.CitationMalwarebytes SmokeLoader 2016 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.CitationMalwarebytes SmokeLoader 2016 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.CitationMalwarebytes SmokeLoader 2016CitationMicrosoft Dofoil 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.CitationMalwarebytes SmokeLoader 2016CitationTalos Smoke Loader July 2018 |
| Enterprise | T1055 | Process Injection | Smoke Loader injects into the Internet Explorer process.CitationTalos Smoke Loader July 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Smoke Loader launches a scheduled task.CitationTalos Smoke Loader July 2018 |
| Enterprise | T1083 | File and Directory Discovery | Smoke Loader recursively searches through directories for files.CitationTalos Smoke Loader July 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 5a141bf85f68… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes SmokeLoader 2016
Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
Open source URL -
[2]
Microsoft Dofoil 2018
Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.
Open source URL -
[3]
Dofoil
(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)
-
[4]
Smoke Loader
(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)
-
[5]
mitre-attack S0226Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.