Summary: 2025/04/29 00:19
First reported date: 2014/10/05
Inquiry period : 2025/03/30 00:19 ~ 2025/04/29 00:19 (1 months), 7 search results
전 기간대비 57% 높은 트렌드를 보이고 있습니다.
전 기간대비 상승한 Top5 연관 키워드는 SmokeLoader Malware Report Operation 입니다.
악성코드 유형 Botnet Pikabot IcedID SystemBC TrickBot BumbleBee Dbatloader GootLoader Ransomware 도 새롭게 확인됩니다.
공격기술 Phishing FakeUpdates 도 새롭게 확인됩니다.
기관 및 기업 Recorded Future 도 새롭게 확인됩니다.
기타 arrest Endgame MWNEWS DoTNet Emmenhtal 등 신규 키워드도 확인됩니다.
The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Ref.
* 최근 뉴스기사 Top3:
ㆍ 2025/04/21 Federal charges filed against alleged SmokeLoader malware operator
ㆍ 2025/04/10 Operation Endgame follow-up cracks down on Smokeloader botnet
ㆍ 2025/04/10 Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence
참고로 동일한 그룹의 악성코드 타입은 SmokeLoader GuLoader Zloader 등 47개 종이 확인됩니다.
Trend graph by period
Related keyword cloud
Top 100| # | Trend | Count | Comparison |
|---|---|---|---|
| 1 | SmokeLoader | 7 | ▲ 4 (57%) |
| 2 | Malware | 7 | ▲ 4 (57%) |
| 3 | Botnet | 3 | ▲ new |
| 4 | Phishing | 2 | ▲ new |
| 5 | Recorded Future | 2 | ▲ new |
| 6 | Report | 2 | ▲ 1 (50%) |
| 7 | Operation | 2 | ▲ 1 (50%) |
| 8 | arrest | 2 | ▲ new |
| 9 | Endgame | 2 | ▲ new |
| 10 | MWNEWS | 2 | ▲ new |
| 11 | Advertising | 2 | ▼ -1 (-50%) |
| 12 | DoTNet | 1 | ▲ new |
| 13 | Pikabot | 1 | ▲ new |
| 14 | IcedID | 1 | ▲ new |
| 15 | SystemBC | 1 | ▲ new |
| 16 | TrickBot | 1 | ▲ new |
| 17 | Emmenhtal | 1 | ▲ new |
| 18 | followup | 1 | ▲ new |
| 19 | BumbleBee | 1 | ▲ new |
| 20 | Dbatloader | 1 | ▲ new |
| 21 | Record | 1 | ▲ new |
| 22 | Recorded | 1 | ▲ new |
| 23 | Future | 1 | ▲ new |
| 24 | Alleged | 1 | ▲ new |
| 25 | operator | 1 | ▲ new |
| 26 | GootLoader | 1 | ▲ new |
| 27 | attack | 1 | - 0 (0%) |
| 28 | modular | 1 | ▲ new |
| 29 | Update | 1 | - 0 (0%) |
| 30 | Ransomware | 1 | ▲ new |
| 31 | FakeUpdates | 1 | ▲ new |
| 32 | spyware | 1 | ▲ new |
| 33 | Introduction | 1 | ▲ new |
| 34 | Europols | 1 | ▲ new |
| 35 | Evidence | 1 | ▲ new |
| 36 | Database | 1 | ▲ new |
| 37 | Seized | 1 | ▲ new |
| 38 | Europol | 1 | ▲ new |
| 39 | wave | 1 | ▲ new |
| 40 | stealth | 1 | ▲ new |
| 41 | GitHub | 1 | ▲ new |
| 42 | hijack | 1 | - 0 (0%) |
| 43 | Federal | 1 | ▲ new |
Special keyword group
Top 5
Malware Type
This is the type of malware that is becoming an issue.
| Keyword | Average | Label |
|---|---|---|
| SmokeLoader |
|
7 (38.9%) |
| Botnet |
|
3 (16.7%) |
| Pikabot |
|
1 (5.6%) |
| IcedID |
|
1 (5.6%) |
| SystemBC |
|
1 (5.6%) |
Attacker & Actors
The status of the attacker or attack group being issued.
No data.
Technique
This is an attack technique that is becoming an issue.
| Keyword | Average | Label |
|---|---|---|
| Phishing |
|
2 (50%) |
| FakeUpdates |
|
1 (25%) |
| hijack |
|
1 (25%) |
Country & Company
This is a country or company that is an issue.
| Keyword | Average | Label |
|---|---|---|
| Recorded Future |
|
2 (100%) |
Malware Family
Top 5
A malware family is a group of applications with similar attack techniques.
In this trend, it is classified into Ransomware, Stealer, RAT or Backdoor, Loader, Botnet, Cryptocurrency Miner.
Threat info
Last 5SNS
(Total : 3)
Total keyword
SmokeLoader Malware Phishing Ransomware GootLoader Dbatloader attack Update FakeUpdates spyware Operation Advertising GitHub hijack DoTNet Recorded Future
News
(Total : 4)
Total keyword
Malware SmokeLoader Botnet Report arrest Recorded Future Operation BumbleBee Pikabot IcedID TrickBot SystemBC Advertising
| No | Title | Date |
|---|---|---|
| 1 | Federal charges filed against alleged SmokeLoader malware operator - Malware.News | 2025.04.21 |
| 2 | Operation Endgame follow-up cracks down on Smokeloader botnet - Malware.News | 2025.04.10 |
| 3 | Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence - The Hacker News | 2025.04.10 |
| 4 | Smoked out - Emmenhtal spreads SmokeLoader malware - Malware.News | 2025.03.31 |
Additional information
| No | Title | Date |
|---|---|---|
| 1 | Employee monitoring app exposes users, leaks 21+ million screenshots - Malware.News | 2025.04.28 |
| 2 | Introducing XSIAM 3.0 - Malware.News | 2025.04.28 |
| 3 | Deploy Bravely with Prisma AIRS - Malware.News | 2025.04.28 |
| 4 | 2025 Cyber Resilience Research Discovers Speed of AI Advancing Emerging Attack Types - Malware.News | 2025.04.28 |
| 5 | Intel CEO Targets Change in Corporate Culture to Shape Up - Bloomberg Technology | 2025.04.28 |
| View only the last 5 | ||
| No | Title | Date |
|---|---|---|
| 1 | Federal charges filed against alleged SmokeLoader malware operator - Malware.News | 2025.04.21 |
| 2 | CoffeeLoader Uses GPU-Based Armoury Packer to Evade EDR and Antivirus Detection - The Hacker News | 2025.03.28 |
| 3 | CoffeeLoader: A Brew of Stealthy Techniques - Malware.News | 2025.03.27 |
| 4 | 10th February – Threat Intelligence Report - Malware.News | 2025.02.10 |
| 5 | 10th February – Threat Intelligence Report - Malware.News | 2025.02.10 |
| View only the last 5 | ||
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| danger | Executed a process and injected code into it |
| danger | Stops Windows services |
| warning | Generates some ICMP traffic |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Attempts to identify installed AV products by registry key |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the CPU name from registry |
| watch | Checks the version of Bios |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Connects to an IRC server |
| watch | Created a service where a service was also not started |
| watch | Creates a suspicious Powershell process |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox using WNetGetProviderName trick |
| watch | Detects VMWare through the in instruction feature |
| watch | Drops 196 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Loads a driver |
| watch | Network activity contains more than one unique useragent |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Operates on local firewall's policies and settings |
| watch | Potential code injection by writing to the memory of another process |
| watch | Powershell script adds registry entries |
| watch | Queries information on disks |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Zeus P2P (Banking Trojan) |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the processes axplont.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for known Chinese AV sofware registry keys |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
| Network | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 1 |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 14 |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 23 |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
| Network | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
| Network | ET INFO EXE - Served Attached HTTP |
| Network | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
| Network | ET INFO Executable Download from dotted-quad Host |
| Network | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
| Network | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
| Network | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
| Network | ET INFO Microsoft net.tcp Connection Initialization Activity |
| Network | ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) |
| Network | ET INFO Packed Executable Download |
| Network | ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) |
| Network | ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) |
| Network | ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) |
| Network | ET INFO TLS Handshake Failure |
| Network | ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) |
| Network | ET MALWARE Amadey Bot Activity (POST) |
| Network | ET MALWARE Private Loader Related Activity (GET) |
| Network | ET MALWARE Redline Stealer TCP CnC - Id1Response |
| Network | ET MALWARE Redline Stealer TCP CnC Activity |
| Network | ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) |
| Network | ET MALWARE Suspected PrivateLoader Activity (POST) |
| Network | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
| Network | ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) |
| Network | ET POLICY PE EXE or DLL Windows file download HTTP |
| Network | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
| Network | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) |
| Network | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) |
| Network | SURICATA Applayer Mismatch protocol both directions |
| No | Category | URL | CC | ASN Co | Date |
|---|---|---|---|---|---|
| 1 | c2 | http://gebeus.ru/tmp/index.php | JM  | DIG001 | 2024.07.15 |
| 2 | c2 | http://file-file-file1.com/ | US  | Cloud Computing Ltd. | 2023.11.08 |
| 3 | c2 | http://host-file-file0.com/ | US | Cloud Computing Ltd. | 2023.11.08 |
| 4 | c2 | http://dublebomber.ru/ | RU  | Trader soft LLC | 2023.10.06 |
| 5 | c2 | http://popuasyfromua.ru/ | RU | ... | 2023.10.06 |
| View only the last 5 | |||||
| No | URL | CC | ASN Co | Reporter | Date |
|---|---|---|---|---|---|
| 1 | http://2.59.163.172/ukraine/svc1.exe exe netreactor smokeloader | RU | Perviy TSOD LLC | Riordz | 2025.01.31 |
| 2 | http://88.151.192.50/putty.exe smokeloader | AZ  | ... | Riordz | 2025.01.31 |
| 3 | http://2.59.163.172/svc.exe exe opendir Smoke Loader smokeloader | RU | Perviy TSOD LLC | Riordz | 2025.01.31 |
| 4 | http://2.59.163.172/svc2.exe exe opendir smokeloader | RU | Perviy TSOD LLC | Riordz | 2025.01.31 |
| 5 | http://172.245.119.74/500/csso.exe smokeloader | US | AS-COLOCROSSING | lontze7 | 2025.01.17 |
| View only the last 5 | |||||
Beta Service, If you select keyword, you can check detailed information.