SmokeLoader Malware: A Deep Dive into UAC-0006’s Polyglot Attack

In the ever-evolving landscape of cyber threats, the UAC-0006 threat actor group has recently resurfaced with a new wave of attacks. This time, they’re deploying the SmokeLoader malware through a sophisticated phishing campaign, leveraging polyglot files to evade detection and increase their success rate. This article aims to provide an in-depth analysis of this threat, its implications, and the associated Indicators of Compromise (IOCs).

UAC-0006: A Threat Actor Profile

UAC-0006 is a financially motivated threat actor group known for its phishing campaigns. Their recent activities, as reported by CERT-UA and SOC Prime, have shown an increased use of financial subject lures in their phishing emails. The group uses ZIP or RAR archives containing malicious HTML or VHDX files to deliver SmokeLoader to targeted systems. Once extracted, the archive triggers JavaScript code, which downloads and launches an executable file, further spreading the infection.

The group’s tactics, techniques, and procedures (TTPs) have evolved over time, with recent attacks showing the use of multiple infection chains and an expanded toolset, including a malicious Cobalt Strike Beacon. This evolution in TTPs indicates a potential increase in the severity of risks posed by UAC-0006.

SmokeLoader Malware and Polyglot Files

SmokeLoader is a notorious bot application that can load other malware onto compromised systems. It has been active since at least 2011 and is known for its use of deception and self-protection. The malware is typically delivered via a polyglot file, a file that is valid in multiple formats. This allows the malware to disguise itself, appearing as a harmless file in one format while executing malicious code when interpreted in another format.

In the case of UAC-0006’s recent campaign, the group used ZIP or RAR archives containing malicious HTML or VHDX files as polyglot files. These files, when extracted, trigger JavaScript code that downloads and launches an executable file, spreading the SmokeLoader infection.

You can read our profle on SmokeLoader here.


The TTPs associated with UAC-0006’s SmokeLoader campaign map to several entries in the MITRE ATT&CK framework:

Indicators of Compromise (IOCs)

The IOCs associated with UAC-0006’s SmokeLoader campaign include phishing emails with financial subject lures, ZIP or RAR archives containing malicious HTML or VHDX files, and the SmokeLoader malware itself. Additionally, the use of a malicious Cobalt Strike Beacon during the intrusions is a significant IOC.


The UAC-0006 group’s recent activities underscore the evolving nature of cyber threats. Their use of polyglot files to deliver SmokeLoader malware demonstrates a sophisticated approach to evading detection and underscores the need for robust, multi-layered cyber defence strategies.

Further Reading