Smokeloader - SparTech Software

SmokeLoader is a sophisticated and long-standing malware loader first observed in 2011, known for its modular design, advanced evasion techniques, and role in distributing secondary payloads like ransomware, info-stealers, and cryptominers.

Loader Capabilities:
• Acts as a gateway for deploying up to 10 additional malware strains, including banking trojans (e.g., TrickBot), ransomware, and credential stealers
• Uses PROPagate injection to insert malicious code into legitimate processes like explorer.exe and Internet Explorer, bypassing traditional security tools

Evasion Techniques:
• Scrambles portable executables and encrypts code using XOR obfuscation
• Implements anti-analysis checks for virtual environments and debugging tools
• Generates fake network traffic mimicking Microsoft/Adobe domains to mask C2 communications

AsyncRAT’s open-source code has led to a dramatic increase in malicious cyber activity around the world.
Originally developed as a legitimate remote administration tool, AsyncRAT has become a favorite foundation for cybercriminals due to its flexible architecture, ease of modification, and powerful functionality. As threat actors continue to build upon and customize the tool, the cybersecurity landscape faces a growing risk from increasingly sophisticated and evasive malware variants.
Hackers Leverage GitHub Repositories to Distribute Amadey Malware and Data Stealers, Bypassing Enterprise Filters
Recent cybersecurity intelligence has uncovered a significant trend: threat actors are now exploiting public GitHub repositories to host and disseminate the Amadey malware and various data-stealing tools. By leveraging the reputation and widespread access policies of GitHub, these attackers are successfully bypassing traditional web filters and security protocols in organizational networks.
Operation Endgame takes a serious cut out of the hacking tools market.
Operation Endgame is a major, ongoing international law enforcement initiative targeting the infrastructure and services that enable ransomware and other forms of cybercrime. Launched in May 2024, the operation is coordinated by agencies including the FBI, Europol, Eurojust, and law enforcement from multiple countries such as the United States, Denmark, France, Germany, the Netherlands, and the United Kingdom.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related