SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries
Published on
Published on
Published on
Feb 6, 2025
Feb 6, 2025
Feb 6, 2025
Hunt researchers identified an open directory hosting SmokeLoader samples alongside lure documents targeting Ukraine's automotive and banking sectors. A second related directory contained the same malware but with different lures, suggesting a broader campaign. The misconfigured servers exposed the staging and distribution methods used in this campaign, offering direct insight into the threat actor's operational tactics.
SmokeLoader remains a tool for cybercriminals and suspected Russian threat actors, often used for initial access before delivering secondary payloads such as credential stealers and remote access trojans (RATs). Recent reports highlight its continued deployment in operations against Ukrainian organizations, reinforcing its role in both cybercrime and espionage-driven attacks.
The following sections examine the findings, analyze the malware and lure files, and break down the malicious infrastructure supporting this activity.
SmokeLoader: A Brief Overview
First identified in 2011, SmokeLoader has evolved into a versatile and persistent threat in the cyber landscape. Originally designed as a malware loader, it remains a preferred tool for adversaries due to its lightweight nature and ability to execute additional payloads on compromised systems. Its modular framework allows operators to tailor functionality, making it effective for both large-scale operations and more targeted intrusions.
While SmokeLoader has long been associated with financially motivated campaigns, its presence in operations against Ukrainian organizations highlights its continued adaptability. Its obfuscation techniques and ability to deliver a variety of secondary malware ensure it remains a reliable choice for threat actors looking to maintain access, evade detection, and distribute additional payloads as needed.
Open Directory Findings: What We Discovered
Browsing Hunt's AttackCapture™ listing for recently scanned open directories, researchers identified an exposed server at 2.59.163[.]172, hosted on the Global Connectivity Solutions LLP network in Poland. The directory contained multiple Windows executables and PDF files labeled "invoce," a likely misspelling of "invoice." The file names suggest the actor leveraged financial-themed lures, a common tactic in phishing campaigns.
As shown in the figure below, Hunt automatically detected and tagged several of these files as SmokeLoader samples. A subfolder named "ukraine" stands out, suggesting a deliberate focus on Ukrainian targets. The directory's structure and contents indicate it was set up to deliver malware rather than being an incidental collection of files.
![Contents of the open directory at 2.59.163[.]72 in Hunt](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/2-2025/figure_1_screenshot_of_whois_results_for_eco163_com.webp)
In AttackCapture™, pivoting on files is as simple as clicking on the three dots next to the file and selecting "Search by SHA256." In this case, the number next to the option was 2, indicating the same executable file was hosted in another directory.
That second server, located at 88.151.192[.]50 and hosted on the Global Connectivity Solutions LLP network in Ukraine, contained the same three Windows files--svc.exe, svc1.exe, and svc2.exe--indicating that both servers were likely part of the same staging infrastructure.
The above screenshot shows the directory structure closely mirrors our first server, including the "ukraine" subfolder. However, there are two key differences:
The PDF files are named invoce.pdf and invoce2.pdf.
A newly detected file, putty.exe, appeared alongside the SmokeLoader samples. While unrelated to the financial lures, its presence suggests an attempt to deceive users seeking to download or execute the legitimate SSH client, a common tactic for malware delivery.
A single domain resolves to this IP, www[.]connecticutproperty[.]ru, which will appear again later in this post.
PDF Lures
Among the files found on the initial server, a single PDF, "invoce415.pdf," was used in conjunction with the malicious files. The document posing as an invoice from Ілта (Ilta), an official importer of Peugeot vehicles in Ukraine since 1992. The company provides sales, service, and leasing options for Peugeot, Citroën, and DS vehicles, making it a plausible lure for targeting individuals or businesses in the automotive sector.
While fake invoices are a common phishing tactic, referencing a well-known Ukrainian business adds credibility to the lure, increasing the chances that a recipient will engage with it. This document was likely distributed as part of a phishing operation, where the attacker urged the recipient to download and open the file, leading to the execution of SmokeLoader.
Within the second directory, the first of the two PDFs, invoce.pdf appears to be an account statement from Raiffeisen Bank, a major commercial bank in Ukraine. Raiffeisen was designated a systemically important bank by the National Bank of Ukraine in 2024.
The second file, invoce2.pdf, is another financial statement dated at the end of July 2024. The document purports to be from __Sense Bank, one of Ukraine's largest financial institutions. Previously known as Alfa-Bank before 2022, Sense Bank remains a recognizable name in the country's financial sector, making it an effective lure for phishing attempts.
Malware Analysis
Recent reporting from AhnLab and Trend Micro detailed SmokeLoader campaigns leveraging 7-Zip archives for delivery. While that specific technique was not present in the open directories we analyzed, there were noticeable overlaps-lure documents targeting Ukrainian organizations, domains following similar naming patterns, and a known SmokeLoader command-and-control server.
Once executed, SmokeLoader injects into explorer.exe and creates a duplicate of itself in the AppData directory under the name "hbasjiu" to evade detection. It then establishes communication with the following command-and-control servers via HTTP POST requests:
94.156.177[.]72:80
2.59.163[.]71:80
Notably, network traffic analysis revealed that each request contained a dynamically changing Referer header, with values generated from domain generation algorithm (DGA) domains.
The malware's configuration also contained hardcoded domains, though no additional payloads were observed during analysis:
http://constractionscity1991[.]lat
http://restructurisationservice[.]ru
http://connecticutproperty[.]ru
Final Note
Hunt users can explore additional open directories hosting SmokeLoader and multiple other malware families in AttackCapture™ by searching for the tag.
Conclusion
Our findings highlight how open directories continue to expose malware distribution operations, providing direct visibility into threat actor infrastructure, targeting, and execution methods. The uncovered servers contained SmokeLoader samples staged alongside financial-themed lure documents impersonating Ukrainian banks and businesses---tactics consistent with previously observed campaigns.
By tracking open directories, defenders can gain early insight into adversary behaviors, helping to identify active malware campaigns before deployment at scale. Researchers can use AttackCapture™ to search for SmokeLoader and other malware families, uncovering additional staging servers and refining detection strategies.
Network Observables and Indicators of Compromise (IOCs)
| IP Address | ASN | Domains | Notes |
|---|---|---|---|
| 2.59.163[.]172 | GLOBAL CONNECTIVITY SOLUTIONS LLP | N/A | Open directory containing lure PDF documents and SmokeLoader samples. |
| 88.151.192[.]71 | GLOBAL CONNECTIVITY SOLUTIONS LLP | www.connecticutproperty[.]ru | Shares Windows executables with 2.59.163[.]172. |
| 94.156.177[.]72 | Railnet LLC | downloadmanager[.]ru oncomnigos[.]ru consultationoffice[.]ru www[.]spotcarservice[.]ru www[.]fileexportinc[.]ru restructurisationservice[.]ru fileexportinc[.]ru constractionscity1991[.]lat | Known SmokeLoader C2. The following domains also resolved to 66.63.187[.]25 in late December 2024: constractionscity1991[.]lat ns2.constractionscity1991[.]lat |
Host Observables and Indicators of Compromise
| Filename | SHA-256 |
|---|---|
| invoce415.pdf | 9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188 |
| svc.exe | f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054 |
| svc1.exe | 1118a93cc63a70ba8348182f7012ddbeecf890345941c82376ac967faf55a295 |
| svc2.exe | 4b00565a29eeb0446393d0538e8f24de232339cf3ffb6a76a2bce3ba160c2066 |
| invoce.pdf | 5e7602b9073b8cf5c1a6afc6d0c8366545da65d2b48eb109f1bd9f40a58e73c0 |
| invoce2.pdf | 7991bfff4eb5f50aa9f5d3d95064411987a29de9621fc5afca9e4978ca568941 |
| putty.exe | f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054 |
Hunt researchers identified an open directory hosting SmokeLoader samples alongside lure documents targeting Ukraine's automotive and banking sectors. A second related directory contained the same malware but with different lures, suggesting a broader campaign. The misconfigured servers exposed the staging and distribution methods used in this campaign, offering direct insight into the threat actor's operational tactics.
SmokeLoader remains a tool for cybercriminals and suspected Russian threat actors, often used for initial access before delivering secondary payloads such as credential stealers and remote access trojans (RATs). Recent reports highlight its continued deployment in operations against Ukrainian organizations, reinforcing its role in both cybercrime and espionage-driven attacks.
The following sections examine the findings, analyze the malware and lure files, and break down the malicious infrastructure supporting this activity.
SmokeLoader: A Brief Overview
First identified in 2011, SmokeLoader has evolved into a versatile and persistent threat in the cyber landscape. Originally designed as a malware loader, it remains a preferred tool for adversaries due to its lightweight nature and ability to execute additional payloads on compromised systems. Its modular framework allows operators to tailor functionality, making it effective for both large-scale operations and more targeted intrusions.
While SmokeLoader has long been associated with financially motivated campaigns, its presence in operations against Ukrainian organizations highlights its continued adaptability. Its obfuscation techniques and ability to deliver a variety of secondary malware ensure it remains a reliable choice for threat actors looking to maintain access, evade detection, and distribute additional payloads as needed.
Open Directory Findings: What We Discovered
Browsing Hunt's AttackCapture™ listing for recently scanned open directories, researchers identified an exposed server at 2.59.163[.]172, hosted on the Global Connectivity Solutions LLP network in Poland. The directory contained multiple Windows executables and PDF files labeled "invoce," a likely misspelling of "invoice." The file names suggest the actor leveraged financial-themed lures, a common tactic in phishing campaigns.
As shown in the figure below, Hunt automatically detected and tagged several of these files as SmokeLoader samples. A subfolder named "ukraine" stands out, suggesting a deliberate focus on Ukrainian targets. The directory's structure and contents indicate it was set up to deliver malware rather than being an incidental collection of files.
In AttackCapture™, pivoting on files is as simple as clicking on the three dots next to the file and selecting "Search by SHA256." In this case, the number next to the option was 2, indicating the same executable file was hosted in another directory.
That second server, located at 88.151.192[.]50 and hosted on the Global Connectivity Solutions LLP network in Ukraine, contained the same three Windows files--svc.exe, svc1.exe, and svc2.exe--indicating that both servers were likely part of the same staging infrastructure.
The above screenshot shows the directory structure closely mirrors our first server, including the "ukraine" subfolder. However, there are two key differences:
The PDF files are named invoce.pdf and invoce2.pdf.
A newly detected file, putty.exe, appeared alongside the SmokeLoader samples. While unrelated to the financial lures, its presence suggests an attempt to deceive users seeking to download or execute the legitimate SSH client, a common tactic for malware delivery.
A single domain resolves to this IP, www[.]connecticutproperty[.]ru, which will appear again later in this post.
PDF Lures
Among the files found on the initial server, a single PDF, "invoce415.pdf," was used in conjunction with the malicious files. The document posing as an invoice from Ілта (Ilta), an official importer of Peugeot vehicles in Ukraine since 1992. The company provides sales, service, and leasing options for Peugeot, Citroën, and DS vehicles, making it a plausible lure for targeting individuals or businesses in the automotive sector.
While fake invoices are a common phishing tactic, referencing a well-known Ukrainian business adds credibility to the lure, increasing the chances that a recipient will engage with it. This document was likely distributed as part of a phishing operation, where the attacker urged the recipient to download and open the file, leading to the execution of SmokeLoader.
Within the second directory, the first of the two PDFs, invoce.pdf appears to be an account statement from Raiffeisen Bank, a major commercial bank in Ukraine. Raiffeisen was designated a systemically important bank by the National Bank of Ukraine in 2024.
The second file, invoce2.pdf, is another financial statement dated at the end of July 2024. The document purports to be from __Sense Bank, one of Ukraine's largest financial institutions. Previously known as Alfa-Bank before 2022, Sense Bank remains a recognizable name in the country's financial sector, making it an effective lure for phishing attempts.
Malware Analysis
Recent reporting from AhnLab and Trend Micro detailed SmokeLoader campaigns leveraging 7-Zip archives for delivery. While that specific technique was not present in the open directories we analyzed, there were noticeable overlaps-lure documents targeting Ukrainian organizations, domains following similar naming patterns, and a known SmokeLoader command-and-control server.
Once executed, SmokeLoader injects into explorer.exe and creates a duplicate of itself in the AppData directory under the name "hbasjiu" to evade detection. It then establishes communication with the following command-and-control servers via HTTP POST requests:
94.156.177[.]72:80
2.59.163[.]71:80
Notably, network traffic analysis revealed that each request contained a dynamically changing Referer header, with values generated from domain generation algorithm (DGA) domains.
The malware's configuration also contained hardcoded domains, though no additional payloads were observed during analysis:
http://constractionscity1991[.]lat
http://restructurisationservice[.]ru
http://connecticutproperty[.]ru
Final Note
Hunt users can explore additional open directories hosting SmokeLoader and multiple other malware families in AttackCapture™ by searching for the tag.
Conclusion
Our findings highlight how open directories continue to expose malware distribution operations, providing direct visibility into threat actor infrastructure, targeting, and execution methods. The uncovered servers contained SmokeLoader samples staged alongside financial-themed lure documents impersonating Ukrainian banks and businesses---tactics consistent with previously observed campaigns.
By tracking open directories, defenders can gain early insight into adversary behaviors, helping to identify active malware campaigns before deployment at scale. Researchers can use AttackCapture™ to search for SmokeLoader and other malware families, uncovering additional staging servers and refining detection strategies.
Network Observables and Indicators of Compromise (IOCs)
| IP Address | ASN | Domains | Notes |
|---|---|---|---|
| 2.59.163[.]172 | GLOBAL CONNECTIVITY SOLUTIONS LLP | N/A | Open directory containing lure PDF documents and SmokeLoader samples. |
| 88.151.192[.]71 | GLOBAL CONNECTIVITY SOLUTIONS LLP | www.connecticutproperty[.]ru | Shares Windows executables with 2.59.163[.]172. |
| 94.156.177[.]72 | Railnet LLC | downloadmanager[.]ru oncomnigos[.]ru consultationoffice[.]ru www[.]spotcarservice[.]ru www[.]fileexportinc[.]ru restructurisationservice[.]ru fileexportinc[.]ru constractionscity1991[.]lat | Known SmokeLoader C2. The following domains also resolved to 66.63.187[.]25 in late December 2024: constractionscity1991[.]lat ns2.constractionscity1991[.]lat |
Host Observables and Indicators of Compromise
| Filename | SHA-256 |
|---|---|
| invoce415.pdf | 9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188 |
| svc.exe | f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054 |
| svc1.exe | 1118a93cc63a70ba8348182f7012ddbeecf890345941c82376ac967faf55a295 |
| svc2.exe | 4b00565a29eeb0446393d0538e8f24de232339cf3ffb6a76a2bce3ba160c2066 |
| invoce.pdf | 5e7602b9073b8cf5c1a6afc6d0c8366545da65d2b48eb109f1bd9f40a58e73c0 |
| invoce2.pdf | 7991bfff4eb5f50aa9f5d3d95064411987a29de9621fc5afca9e4978ca568941 |
| putty.exe | f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054 |
Related Posts:
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...
The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...
We originally launched our "Open Directory" feature in Hunt a year ago. The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks. What we learned was that there was a ton of information that could be correlated and indexed. Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.
We originally launched our "Open Directory" feature in Hunt a year ago. The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks. What we learned was that there was a ton of information that could be correlated and indexed. Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...
We originally launched our "Open Directory" feature in Hunt a year ago. The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks. What we learned was that there was a ton of information that could be correlated and indexed. Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.