Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":94615,"date":"2024-10-31T14:50:43","date_gmt":"2024-10-31T14:50:43","guid":{"rendered":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/"},"modified":"2024-10-31T14:50:43","modified_gmt":"2024-10-31T14:50:43","slug":"smokebuster-keeping-systems-smokeloader-free-threatlabz","status":"publish","type":"post","link":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/","title":{"rendered":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz"},"content":{"rendered":"

IntroductionIn May 2024, international law enforcement agencies, in collaboration with private industry partners (including Zscaler ThreatLabz), conducted Operation Endgame, disrupting many prominent malware loaders including Smoke (a.k.a. SmokeLoader or Dofoil). This operation led to the seizure of more than 1,000 SmokeLoader command-and-control (C2) domains, and remotely cleaned over 50K infections. However, SmokeLoader continues to be used by multiple threat groups to distribute malware payloads through new C2 infrastructure. To further counter SmokeLoader, ThreatLabz has developed a general purpose tool called SmokeBuster that can be used to detect, analyze, and remove the malware from infected systems. During the development of this tool, ThreatLabz also discovered several bugs in recent versions of SmokeLoader that considerably slow down an infected system. In this blog, we will introduce SmokeBuster and examine coding errors that cause SmokeLoader to significantly degrade an infected system\u2019s performance.<\/p>\n

Key Takeaways
\nThreatLabz has developed a tool named SmokeBuster to detect, analyze, and remediate infections.
\nSmokeBuster supports 32-bit and 64-bit instances of SmokeLoader and versions 2017-2022. The tool is compatible with Windows 7 to Windows 11.
\nSmokeLoader is a malware downloader that originated in 2011. The malware is primarily designed to deliver second-stage payloads, which include information stealers and ransomware.
\nDespite a major disruption by Operation Endgame in May 2024, SmokeLoader continues to be used by numerous threat groups largely due to numerous cracked versions publicly available on the internet.
\nThe last four versions of SmokeLoader contain coding flaws that significantly impact an infected system\u2019s performance.<\/p>\n

SmokeBusterThreatLabz has developed SmokeBuster, a general purpose tool that detects SmokeLoader artifacts including the following: <\/p>\n

Mutex names
\nSmokeLoader code in explorer.exe
\nRegistry values (in version 2017)
\nStartup shortcut links (in some versions)
\nPersistence scriptlet (in some versions)
\nScheduled tasks (versions 2018-2022)
\nSmokeLoader executable file
\nPlugins file<\/p>\n

The tool’s features include:<\/p>\n

Uninstalling SmokeLoader from the compromised host.
\nControl SmokeLoader’s threads (terminate, suspend, resume).
\nFree any memory regions allocated by SmokeLoader.
\nRemap SmokeLoader memory regions to add write permissions to them.<\/p>\n

SmokeBuster currently supports the following command-line arguments:<\/p>\n

Argument<\/p>\n

Long argument<\/p>\n

Description<\/p>\n

-u <\/p>\n

–uninstall<\/p>\n

Uninstall SmokeLoader.<\/p>\n

-v<\/p>\n

–save-memory<\/p>\n

Scan SmokeLoader memory and save the main module to disk.<\/p>\n

-p<\/p>\n

–delete-tasks<\/p>\n

Delete SmokeLoader persistent scheduled tasks.<\/p>\n

-w<\/p>\n

–make-sections-rwx<\/p>\n

Make SmokeLoader memory sections read\/write\/execute.<\/p>\n

-c<\/p>\n

–close-mutexes<\/p>\n

Close SmokeLoader mutexes.<\/p>\n

-k<\/p>\n

–kill-thread<\/p>\n

Terminate a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-K<\/p>\n

–killall-threads<\/p>\n

Terminate all SmokeLoader threads in explorer.exe.<\/p>\n

-s<\/p>\n

–suspend-thread<\/p>\n

Suspend a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-S<\/p>\n

–suspendall-thread<\/p>\n

Suspend all SmokeLoader threads in explorer.exe.<\/p>\n

-r<\/p>\n

–resume-thread<\/p>\n

Resume a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-R<\/p>\n

–resumeall-thread<\/p>\n

Resume all SmokeLoader threads in explorer.exe.<\/p>\n

-m<\/p>\n

–unmap-memory<\/p>\n

Free SmokeLoader memory regions in explorer.exe.<\/p>\n

-h<\/p>\n

–help<\/p>\n

Show help and exit.<\/p>\n

Table 1: Command-line arguments supported by the SmokeBuster tool.<\/p>\n

We will briefly highlight a few of the features and how they may be useful for malware analysts and threat hunters.<\/p>\n

Foremost, SmokeBuster provides an uninstall command more robust than SmokeLoader\u2019s native uninstall functionality. Note that SmokeLoader\u2019s own uninstall routine leaves artifacts in memory, and some versions do not fully clean up the disk or registry. The SmokeBuster uninstall routine performs the following actions: <\/p>\n

Closes SmokeLoader\u2019s mutex handle
\nCloses SmokeLoader\u2019s open file handles (required to delete files in use)
\nDeletes the SmokeLoader executable, plugins file, and scheduled task
\nDeletes installation directories
\nTerminates SmokeLoader\u2019s threads (or terminates the hollowed explorer.exe process for version 2017)
\nUnmaps SmokeLoader from explorer.exe
\nTerminates SmokeLoader plugin processes<\/p>\n

Another feature implemented by SmokeBuster allows a malware analyst to terminate, suspend, and resume one or more of SmokeLoader\u2019s threads. One potential use case is to suspend or kill the threads created by SmokeLoader to prevent malware analysis tools from running including debuggers and process monitoring tools.<\/p>\n

By default, most versions map SmokeLoader into a PAGE_EXECUTE_READ section in explorer.exe. As a result, debuggers will not be able to set software breakpoints or patch SmokeLoader\u2019s code. However, SmokeBuster can remap SmokeLoader memory sections with PAGE_EXECUTE_READWRITE permissions to enable software breakpoints and patch SmokeLoader\u2019s code as shown below.<\/p>\n

Figure 1: SmokeLoader section with default privileges (left) and the same section remapped with the addition of write permissions (right).<\/p>\n

The SmokeBuster tool is available in our GitHub repository.<\/p>\n

SmokeBuster BugsIn our previous blogs, we analyzed SmokeLoader\u2019s evolution over the past decade. In addition, we presented technical information about Operation Endgame that targeted SmokeLoader infrastructure and remotely cleaned infections. As we previously documented, SmokeLoader primarily consists of two components: a stager and a main module. The stager\u2019s purpose is to decrypt, decompress, and inject the main module into an explorer.exe process. The main module performs the core functionality of the malware including establishing persistence, communicating with the C2 infrastructure, and processing commands.<\/p>\n

While developing SmokeBuster, we discovered that SmokeLoader contains numerous bugs. In versions 2018 through 2022, several of these bugs lead to a condition that will cause SmokeLoader to considerably slow down an infected system\u2019s performance. This is due to a combination of coding errors from the persistence implementation, the checks for the presence of running infections, and failures to adequately clean up threads and process memory.<\/p>\n

The following figure illustrates the process in which SmokeLoader is executed every 10 minutes via a scheduled task after installation.<\/p>\n

Figure 2: SmokeLoader execution process control flow (versions 2018-2022).<\/p>\n

After the main module of SmokeLoader is injected into explorer.exe, the malware resolves Windows API dependency names by hash. SmokeLoader then creates two threads to check for the presence of malware analyst tools. If detected, these processes are terminated. These threads run in an infinite loop until a flag is set that indicates that they should terminate.<\/p>\n

If a system has already been infected with SmokeLoader, the code checks whether a mutex name exists. If the mutex name exists, SmokeLoader closes the handle to this mutex and terminates the main thread. However, there are several issues that are problematic with this implementation. <\/p>\n

First, the anti-analysis threads are always created before the mutex name check, and are not terminated even when the mutex name exists. Furthermore, the stager code does not itself perform any mutex checks. Compounding the issue, is the persistence mechanism schedules a task that executes the SmokeLoader stager executable every 10 minutes, so the main module will be injected into explorer.exe repeatedly. This causes SmokeLoader to create three new threads and allocate about 90 KB of space (for the main module) in the explorer.exe process every 10 minutes. The main thread will exit if the mutex name exists; however, the two anti-analysis threads continue to run. <\/p>\n

SmokeLoader version 2018 has yet another potential issue in that there is a connectivity test performed before the mutex check. Therefore, if the infected system does not have internet connectivity, the main thread will continue to execute in an infinite loop, thereby leaving a third running thread per execution. Over time, the lack of a mutex check by the stager, and the lack of a mutex check prior to creating the two anti-analysis threads will significantly degrade an infected system\u2019s performance.<\/p>\n

The figure below shows a screenshot of SmokeBuster running shortly after a system is infected with SmokeLoader version 2022. Note that there are three SmokeLoader threads and the main module has been injected into explorer.exe in the memory region 0x6030000 – 0x6046000.<\/p>\n

Figure 3: SmokeLoader infection within a minute after execution.<\/p>\n

If we run SmokeBuster 10 minutes later, the scheduled task will have executed the SmokeLoader stager. This causes SmokeLoader to inject the main module once again in explorer.exe at the region 0x3BC0000 – 0x3BD6000 as shown in the figure below. In addition, two new anti-analysis threads (thread IDs 1476 and 8292) will have been created. The new main thread will terminate shortly afterwards since the expected mutex name exists. However, this new main thread does not terminate the anti-analysis threads or free the newly created memory section.<\/p>\n

Figure 4: SmokeLoader infection after 10 minutes.<\/p>\n

After only an hour SmokeLoader will have been injected six times and created 13 (1 main thread + 12 anti-analysis) threads. Thus, an infected system that has been running continuously for 24 hours will have been injected 144 times with 289 (1 main thread + 288 anti-analysis) threads running in explorer.exe.<\/p>\n

ConclusionOperation Endgame was the first major international law enforcement disruption of SmokeLoader C2 infrastructure in over a decade. This had a short term impact on the overall threat ecosystem, but SmokeLoader continues to be a popular choice for threat groups to deploy their malware. Since SmokeLoader hasn\u2019t been updated in over two years, tools such as SmokeBuster, which can detect and remediate infections, may hasten its demise. This is particularly evident given that SmokeLoader contains inherent bugs that significantly degrade an infected system\u2019s performance.<\/p>\n

Zscaler CoverageIn addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to SmokeLoader at various levels with the following threat names:<\/p>\n

Win32.Downloader.Smokeloader<\/p>\n

Figure 6: Zscaler Cloud Sandbox Report\u00a0\u00a0<\/p>\n

\u200b[#item_full_content]\u00a0[[{“value”:”IntroductionIn May 2024, international law enforcement agencies, in collaboration with private industry partners (including Zscaler ThreatLabz), conducted Operation Endgame, disrupting many prominent malware loaders including Smoke (a.k.a. SmokeLoader or Dofoil). This operation led to the seizure of more than 1,000 SmokeLoader command-and-control (C2) domains, and remotely cleaned over 50K infections. However, SmokeLoader continues to be used by multiple threat groups to distribute malware payloads through new C2 infrastructure. To further counter SmokeLoader, ThreatLabz has developed a general purpose tool called SmokeBuster that can be used to detect, analyze, and remove the malware from infected systems. During the development of this tool, ThreatLabz also discovered several bugs in recent versions of SmokeLoader that considerably slow down an infected system. In this blog, we will introduce SmokeBuster and examine coding errors that cause SmokeLoader to significantly degrade an infected system\u2019s performance.<\/p>\n

Key Takeaways
\nThreatLabz has developed a tool named SmokeBuster to detect, analyze, and remediate infections.
\nSmokeBuster supports 32-bit and 64-bit instances of SmokeLoader and versions 2017-2022. The tool is compatible with Windows 7 to Windows 11.
\nSmokeLoader is a malware downloader that originated in 2011. The malware is primarily designed to deliver second-stage payloads, which include information stealers and ransomware.
\nDespite a major disruption by Operation Endgame in May 2024, SmokeLoader continues to be used by numerous threat groups largely due to numerous cracked versions publicly available on the internet.
\nThe last four versions of SmokeLoader contain coding flaws that significantly impact an infected system\u2019s performance.<\/p>\n

SmokeBusterThreatLabz has developed SmokeBuster, a general purpose tool that detects SmokeLoader artifacts including the following: <\/p>\n

Mutex names
\nSmokeLoader code in explorer.exe
\nRegistry values (in version 2017)
\nStartup shortcut links (in some versions)
\nPersistence scriptlet (in some versions)
\nScheduled tasks (versions 2018-2022)
\nSmokeLoader executable file
\nPlugins file<\/p>\n

The tool’s features include:<\/p>\n

Uninstalling SmokeLoader from the compromised host.
\nControl SmokeLoader’s threads (terminate, suspend, resume).
\nFree any memory regions allocated by SmokeLoader.
\nRemap SmokeLoader memory regions to add write permissions to them.<\/p>\n

SmokeBuster currently supports the following command-line arguments:<\/p>\n

Argument<\/p>\n

Long argument<\/p>\n

Description<\/p>\n

-u <\/p>\n

–uninstall<\/p>\n

Uninstall SmokeLoader.<\/p>\n

-v<\/p>\n

–save-memory<\/p>\n

Scan SmokeLoader memory and save the main module to disk.<\/p>\n

-p<\/p>\n

–delete-tasks<\/p>\n

Delete SmokeLoader persistent scheduled tasks.<\/p>\n

-w<\/p>\n

–make-sections-rwx<\/p>\n

Make SmokeLoader memory sections read\/write\/execute.<\/p>\n

-c<\/p>\n

–close-mutexes<\/p>\n

Close SmokeLoader mutexes.<\/p>\n

-k<\/p>\n

–kill-thread<\/p>\n

Terminate a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-K<\/p>\n

–killall-threads<\/p>\n

Terminate all SmokeLoader threads in explorer.exe.<\/p>\n

-s<\/p>\n

–suspend-thread<\/p>\n

Suspend a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-S<\/p>\n

–suspendall-thread<\/p>\n

Suspend all SmokeLoader threads in explorer.exe.<\/p>\n

-r<\/p>\n

–resume-thread<\/p>\n

Resume a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.<\/p>\n

-R<\/p>\n

–resumeall-thread<\/p>\n

Resume all SmokeLoader threads in explorer.exe.<\/p>\n

-m<\/p>\n

–unmap-memory<\/p>\n

Free SmokeLoader memory regions in explorer.exe.<\/p>\n

-h<\/p>\n

–help<\/p>\n

Show help and exit.<\/p>\n

Table 1: Command-line arguments supported by the SmokeBuster tool.<\/p>\n

We will briefly highlight a few of the features and how they may be useful for malware analysts and threat hunters.<\/p>\n

Foremost, SmokeBuster provides an uninstall command more robust than SmokeLoader\u2019s native uninstall functionality. Note that SmokeLoader\u2019s own uninstall routine leaves artifacts in memory, and some versions do not fully clean up the disk or registry. The SmokeBuster uninstall routine performs the following actions: <\/p>\n

Closes SmokeLoader\u2019s mutex handle
\nCloses SmokeLoader\u2019s open file handles (required to delete files in use)
\nDeletes the SmokeLoader executable, plugins file, and scheduled task
\nDeletes installation directories
\nTerminates SmokeLoader\u2019s threads (or terminates the hollowed explorer.exe process for version 2017)
\nUnmaps SmokeLoader from explorer.exe
\nTerminates SmokeLoader plugin processes<\/p>\n

Another feature implemented by SmokeBuster allows a malware analyst to terminate, suspend, and resume one or more of SmokeLoader\u2019s threads. One potential use case is to suspend or kill the threads created by SmokeLoader to prevent malware analysis tools from running including debuggers and process monitoring tools.<\/p>\n

By default, most versions map SmokeLoader into a PAGE_EXECUTE_READ section in explorer.exe. As a result, debuggers will not be able to set software breakpoints or patch SmokeLoader\u2019s code. However, SmokeBuster can remap SmokeLoader memory sections with PAGE_EXECUTE_READWRITE permissions to enable software breakpoints and patch SmokeLoader\u2019s code as shown below.<\/p>\n

Figure 1: SmokeLoader section with default privileges (left) and the same section remapped with the addition of write permissions (right).<\/p>\n

The SmokeBuster tool is available in our GitHub repository.<\/p>\n

SmokeBuster BugsIn our previous blogs, we analyzed SmokeLoader\u2019s evolution over the past decade. In addition, we presented technical information about Operation Endgame that targeted SmokeLoader infrastructure and remotely cleaned infections. As we previously documented, SmokeLoader primarily consists of two components: a stager and a main module. The stager\u2019s purpose is to decrypt, decompress, and inject the main module into an explorer.exe process. The main module performs the core functionality of the malware including establishing persistence, communicating with the C2 infrastructure, and processing commands.<\/p>\n

While developing SmokeBuster, we discovered that SmokeLoader contains numerous bugs. In versions 2018 through 2022, several of these bugs lead to a condition that will cause SmokeLoader to considerably slow down an infected system\u2019s performance. This is due to a combination of coding errors from the persistence implementation, the checks for the presence of running infections, and failures to adequately clean up threads and process memory.<\/p>\n

The following figure illustrates the process in which SmokeLoader is executed every 10 minutes via a scheduled task after installation.<\/p>\n

Figure 2: SmokeLoader execution process control flow (versions 2018-2022).<\/p>\n

After the main module of SmokeLoader is injected into explorer.exe, the malware resolves Windows API dependency names by hash. SmokeLoader then creates two threads to check for the presence of malware analyst tools. If detected, these processes are terminated. These threads run in an infinite loop until a flag is set that indicates that they should terminate.<\/p>\n

If a system has already been infected with SmokeLoader, the code checks whether a mutex name exists. If the mutex name exists, SmokeLoader closes the handle to this mutex and terminates the main thread. However, there are several issues that are problematic with this implementation. <\/p>\n

First, the anti-analysis threads are always created before the mutex name check, and are not terminated even when the mutex name exists. Furthermore, the stager code does not itself perform any mutex checks. Compounding the issue, is the persistence mechanism schedules a task that executes the SmokeLoader stager executable every 10 minutes, so the main module will be injected into explorer.exe repeatedly. This causes SmokeLoader to create three new threads and allocate about 90 KB of space (for the main module) in the explorer.exe process every 10 minutes. The main thread will exit if the mutex name exists; however, the two anti-analysis threads continue to run. <\/p>\n

SmokeLoader version 2018 has yet another potential issue in that there is a connectivity test performed before the mutex check. Therefore, if the infected system does not have internet connectivity, the main thread will continue to execute in an infinite loop, thereby leaving a third running thread per execution. Over time, the lack of a mutex check by the stager, and the lack of a mutex check prior to creating the two anti-analysis threads will significantly degrade an infected system\u2019s performance.<\/p>\n

The figure below shows a screenshot of SmokeBuster running shortly after a system is infected with SmokeLoader version 2022. Note that there are three SmokeLoader threads and the main module has been injected into explorer.exe in the memory region 0x6030000 – 0x6046000.<\/p>\n

Figure 3: SmokeLoader infection within a minute after execution.<\/p>\n

If we run SmokeBuster 10 minutes later, the scheduled task will have executed the SmokeLoader stager. This causes SmokeLoader to inject the main module once again in explorer.exe at the region 0x3BC0000 – 0x3BD6000 as shown in the figure below. In addition, two new anti-analysis threads (thread IDs 1476 and 8292) will have been created. The new main thread will terminate shortly afterwards since the expected mutex name exists. However, this new main thread does not terminate the anti-analysis threads or free the newly created memory section.<\/p>\n

Figure 4: SmokeLoader infection after 10 minutes.<\/p>\n

After only an hour SmokeLoader will have been injected six times and created 13 (1 main thread + 12 anti-analysis) threads. Thus, an infected system that has been running continuously for 24 hours will have been injected 144 times with 289 (1 main thread + 288 anti-analysis) threads running in explorer.exe.<\/p>\n

ConclusionOperation Endgame was the first major international law enforcement disruption of SmokeLoader C2 infrastructure in over a decade. This had a short term impact on the overall threat ecosystem, but SmokeLoader continues to be a popular choice for threat groups to deploy their malware. Since SmokeLoader hasn\u2019t been updated in over two years, tools such as SmokeBuster, which can detect and remediate infections, may hasten its demise. This is particularly evident given that SmokeLoader contains inherent bugs that significantly degrade an infected system\u2019s performance.<\/p>\n

Zscaler CoverageIn addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to SmokeLoader at various levels with the following threat names:<\/p>\n

Win32.Downloader.Smokeloader<\/p>\n

Figure 6: Zscaler Cloud Sandbox Report”}]]\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

IntroductionIn May 2024, international law enforcement agencies, in collaboration with […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-94615","post","type-post","status-publish","format-standard","hentry","category-zenith-zscaler"],"yoast_head":"\nSmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz\" \/>\n<meta property=\"og:description\" content=\"IntroductionIn May 2024, international law enforcement agencies, in collaboration with […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-31T14:50:43+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz\",\"datePublished\":\"2024-10-31T14:50:43+00:00\",\"dateModified\":\"2024-10-31T14:50:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\"},\"wordCount\":3024,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"articleSection\":[\"Zenith: Zscaler\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\",\"name\":\"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"datePublished\":\"2024-10-31T14:50:43+00:00\",\"dateModified\":\"2024-10-31T14:50:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/","og_locale":"en_US","og_type":"article","og_title":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz","og_description":"IntroductionIn May 2024, international law enforcement agencies, in collaboration with […]","og_url":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/","og_site_name":"JHC","article_published_time":"2024-10-31T14:50:43+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/"},"author":{"name":"","@id":""},"headline":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz","datePublished":"2024-10-31T14:50:43+00:00","dateModified":"2024-10-31T14:50:43+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/"},"wordCount":3024,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"articleSection":["Zenith: Zscaler"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/","url":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/","name":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"datePublished":"2024-10-31T14:50:43+00:00","dateModified":"2024-10-31T14:50:43+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/smokebuster-keeping-systems-smokeloader-free-threatlabz\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"SmokeBuster: Keeping Systems SmokeLoader Free ThreatLabz"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/94615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=94615"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/94615\/revisions"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=94615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=94615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=94615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}