Skip to main content

Home SmokeLoader


Also known as: Trojan.SmokeLoader, Dofoil, Sharik, Smoke, Smoke Loader

Category: Malware

Type: Trojan

Platform: Windows

Damage potential: Installing additional malware on the device, data theft, identity theft, file deletion, hardware damage


SmokeLoader is a trojan that primarily targets Windows devices. After infecting a computer, SmokeLoader attempts to install additional malware (e.g., cryptominers, ransomware, or password stealers) on the device. It may also steal sensitive data, damage files, and cause other issues. This trojan may spread in many ways — from phishing emails to bundled software.

Possible symptoms

Detecting SmokeLoader is difficult because it does its best to stay hidden. The most common symptom of a SmokeLoader infection is sudden sluggish performance. That’s because SmokeLoader often injects itself into a legitimate Windows process (like explorer.exe), consuming a lot of memory and CPU and leading to system slowdowns.

Other symptoms of SmokeLoader include:

  • Unusual network activity (e.g., slower internet).
  • Abnormally high CPU or memory usage.
  • Unauthorized access (e.g., changed settings or files).
  • Unfamiliar software on your system.
  • Unexpected pop-ups, ads, or browser redirects.
  • Frequent error messages or crashes.
  • Changed browser settings (e.g., homepage).

Sources of infection

SmokeLoader can infect devices in many ways, often involving some form of social engineering. Cybercriminals may send victims seemingly legitimate emails with the trojan hidden in a malicious attachment (typically a Microsoft Office document with macroses). The email may sound urgent to trick the user into opening the attachment or clicking the link, eventually leading to a SmokeLoader infection.

Other ways SmokeLoader may infect your device include:

  • Drive-by downloads. Some compromised or malicious websites may automatically download and install SmokeLoader when users visit them.
  • File sharing and download sites. Users may download malicious files containing SmokeLoader from file-sharing or download sites. These files often appear legitimate, but executing them leads to a SmokeLoader infection.
  • Exploit kits. SmokeLoader may use exploit kits — toolkits that target known vulnerabilities in software, such as web browsers or plugins. When a user visits a compromised website, the exploit kit exploits these vulnerabilities to install the malware.
  • Infected USB drives. SmokeLoader may also spread through infected USB devices, e.g., when transferring files between computers or installing software.


You can protect yourself from SmokeLoader and similar infections by becoming more aware of these cyber threats and being cautious online. Here’s how to protect yourself from SmokeLoader infections:

  • Regularly update software. Keeping your operating system and browsers up to date makes them less vulnerable to malware infections.
  • Only use reputable security software. Choose reliable antivirus and anti-malware software with real-time scanning to detect and prevent SmokeLoader.
  • Be cautious when opening emails. Don’t click on links or open attachments from unknown sources (particularly Microsoft Office files). If an Excel file asks for permission to activate macroses, double-check the source to ensure it’s trustworthy.
  • Turn off the AutoRun and AutoPlay features. Malware may exploit these features to automatically execute when a USB drive is connected.
  • Use NordVPN’s Threat Protection. This advanced feature blocks malicious sites and may help prevent drive-by downloads. Additionally, it scans your downloads for malware.


You’ll need specialized anti-malware software to remove SmokeLoader. Before you proceed, disconnect your device from the internet to prevent further communication with the malware’s command and control servers. Boot your device into safe mode and use your antivirus software to quarantine and remove any detected threats.