“The Smoke Loader botnet, publicly available since 2011 is still active on the black market — with more than 1,500 active samples detected in the past six months.”
Smoke Loader’s continuing popularity on the black market speaks to its ongoing innovation. As the downloader was among the first to use “PROPagate” injection techniques to compromise Windows machines. And while the loader is often tapped as a cypyto-mining delivery tool, it’s also a common delivery service for plugins. Such as those designed to target browser data, steal form data or denial-of-service (DDoS) attacks.