What We Thought Was SMOKELOADER: Introducing REMUS aachum.github.io/website/rem…

Ok, we get it, LLMs can reverse malware. But, I’d love to see a fully analysis (similar to what Check Point has done with XLoader) of SmokeLoader, GuLoader, POORTRY, FlawedGrace or Nymain. Not just toy malware

LockBit 5.0 launches with a unified codebase targeting Windows, Linux, and ESXi. Acronis reveals identical encryption and ties to SmokeLoader. #LockBit5 #Ransomware #CyberSecurity #InfoSec #Malware #Acronis #LinuxSecurity securityonline.info/one-code…

Acronis Threat Research Unit (TRU) Update: LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems. ➡️ acronis.com/en/tru/posts/loc… Key highlights: 🔹The Windows sample has most defense evasion and anti-analysis techniques applied across all analyzed samples. This includes packing, DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions and clearing all available logs in the system. 🔹Linux and ESXI versions are very similar, except for functions that target virtualization. Neither of these versions is packed, but almost all strings are encrypted. 🔹All versions have the same ransom note, append a random extension to each encrypted file, and the same encryption routine that involves XChaCha20 and Curve25519. 🔹The LockBit site was hosted on infrastructure with historical ties to SmokeLoader, indicating possible infrastructure reuse or cooperation. For MSPs and IT teams, speed matters. Threat research provides the intelligence to update protections quickly, manage efficiently, and automate defenses, so teams can stay protected without adding complexity.

Added indicators for: BianLian ( 1), Venom RAT ( 1), Quasar RAT ( 2), Hajime ( 4), Havoc ( 2), SmartApeSG ( 1) and SmokeLoader ( 5). vuldb.com/?actor #apt #cti #ioc

Last week, @SophosXOps reported a new packer/crypter called #Shanya (aka #ArmillariaLoader by @ciphertech). We hunted for this packer across our dataset and identified several early, previously unreported samples. The earliest sample observed in the wild dates back to December 2024, which aligns with the underground promotions for this packer toward the end of 2024 (as noted by @SophosXOps). Some of the unreported #Shanya samples we observed were dropping families such as #SmokeLoader, #NightshadeC2, and #Vidar. Due to the heavy obfuscation of this packer, we clustered the samples using our code similarity engine and identified the custom API hashing function as a strong hunting artifact. We identified two variants of this hashing algorithm used across the packer samples, which enabled us to easily create a #YARA hunting rule. You can find the rule and #IOCs here: github.com/threatray/threat-…

Top 10 last week's threats by uploads 🌐 ⬆️ #Xworm 870 (854) ⬆️ #Asyncrat 415 (398) ⬆️ #Quasar 395 (329) ⬇️ #Vidar 318 (327) ⬇️ #Lumma 286 (322) ⬆️ #Remcos 273 (212) ⬇️ #Stealc 266 (296) ⬇️ #Gravityrat 241 (302) ⬆️ #Guloader 179 (172) ⬆️ #Smokeloader 155 (144) Explore malware in action: app.any.run/?utm_source=twit… #Top10Malware

LockBit 5.0ランサムウェアグループのリークサイトをホストするサーバーインフラが特定。 ▼サーバー上のDDoS保護ページに「LOCKBITS.5.0」のブランディングが表示されていたことで、同グループの運用インフラであることが確認された。 ▼今回の露出は、過去に複数回の摘発・妨害を受けながらも活動を継続してきた同グループの運用セキュリティ（OPSEC）上の失敗を示すものとなる。 ▼防御側には該当インフラ（IPアドレス：205.185.116.233、ドメイン: karma0[.]xyz）や関連マルウェアIOCの即時ブロックが推奨。 【経緯とまとめ】 ・WHOISレコード調査で、ドメインの登録日、有効期限、使用ネームサーバー（Cloudflare）、およびプライバシー保護サービスによる連絡先登録地（アイスランド）が特定された。ドメインはレジストラロック状態（移管制限）にあり、監視強化を見据えた制御権確保・防御措置の可能性が示唆される。 ・ポートスキャンにより、サーバー上でFTP、Apache Webサーバー（Windows 64bit環境、OpenSSL/PHP稼働）、RDP、WinRM、ファイルサーバー等の複数サービスがオープン状態で稼働していることが判明。特にRDPは不正アクセスの高リスクベクターとして指摘。 ・ホスティング環境として、不正活動に頻繁に悪用されることで知られるネットワーク事業者配下でサーバーが運用されていた。 ・LockBitグループが攻撃に使用しているSmokeloaderのハッシュ値（ e818a9afd55693d556a47002a7b7ef31 ）も公開、インフラとの関連性が指摘。 cybersecuritynews.com/lockbi…

🚨Exposing #LOCKBIT 5.0 Server: IP & DOMAIN IP: 205.185.116.233 🇺🇸 #AS53667 Domain: karma0[.]xyz Reg: 2 November 2025 💡LockBit Group uses #Smokeloader in their attacks MD5: e818a9afd55693d556a47002a7b7ef31 #Lockbit5 #Ransomware #Security #Intelligence #OSINT #Databreach #TOR

Durante noviembre de 2025, fuentes de inteligencia (Microsoft Threat Intelligence, Zscaler ThreatLabz, SOC Prime y Unit 42) reportaron nuevas campañas del Malware SmoKeLoader. Mas información: ecucert.gob.ec/wp-content/up… #PorUnEcuadorCiberseguro @Arcotel_ec @CsirtCEDIA @CsirtEPN

#Rhadamanthys and #VenomRAT are the latest malware to be disrupted by Operation Endgame. Since May 2024, the operation has affected IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, DanaBot, WarmCookie, Trickbot, and Hijack Loader, among other malware and botnets.

Top 10 last week's threats by uploads 🌐 ⬆️ #Xworm 955 (927) ⬆️ #Lumma 448 (429) ⬆️ #Quasar 389 (353) ⬇️ #Remcos 309 (360) ⬆️ #Rhadamanthys 268 (248) ⬇️ #Vidar 249 (293) ⬆️ #Asyncrat 232 (141) ⬇️ #Dcrat 228 (248) ⬆️ #Guloader 185 (169) ⬆️ #Smokeloader 167 (145) Explore malware in action: app.any.run/?utm_source=twit… #Top10Malware

If you ever wanna be forced into understanding how a debugger works with breakpoints go analyze smokeloader

#SmokeLoader Rises From the Ashes zscaler.com/blogs/security-r…

SmokeLoader, a malware loader active since 2011, has resurfaced with new variants in 2025, featuring bug fixes and enhanced evasion techniques, despite prior takedowns by Operation Endgame. #CyberSecurity #Malware zscaler.com/blogs/security-r…

ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. These versions, which we refer to as version 2025 alpha and version 2025, fix significant bugs that previously caused significant performance degradation on an infected system. In addition, various SmokeLoader artifacts have been updated to evade static and behavior based detection. Read our technical analysis here: zscaler.com/blogs/security-r… The latest version of SmokeBuster is available here: github.com/ThreatLabz/smokeb…

ロシアさん、違法デジタルコンテンツ/クラック版ダウンロードの65.1%を占め、2位ウクライナの7.2%に大差をつける快挙。映画とPCゲームで90%近く。Lumma Stealer、SmokeLoader、RedLine Stealer等のマルウェアが頻繁に埋め込まれている。

🚨 New ThreatMon Report Released 🚨 Our latest research dives into the hidden dangers of unlicensed digital content and cracked software. After analyzing 1.8 million download records (2015–2025), we found that what may look like “free” software or media is in fact a major source of income for organized cybercrime groups. 🔎 Key Findings: Russia leads globally with 65.1% of cracked software downloads, followed by Ukraine (7.2%). Films (59.6%) and PC games (29.6%) dominate, making up nearly 90% of all pirated content. Malware such as Lumma Stealer, SmokeLoader, and RedLine Stealer is frequently embedded in fake software, leading to credential theft, financial loss, and data breaches. Beyond personal risk, cracked software is now a national security concern. 💡 The report also highlights global distribution trends, regional preferences, and the legal, security, and operational risks organizations face when unlicensed content infiltrates their networks. 📖 Read the full report and explore how ThreatMon helps detect, analyze, and mitigate these threats: ➡️ threatmon.io/unlicensed-acce… #CyberSecurity #ThreatIntelligence #ThreatMon #DigitalRisk #DataSecurity #Malware

ohhh OF COURSE HERE COMES THE SMOKELOADER WHAT A TUFF NAME.🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑🔑