Fortinet’s FortiGuard Labs released research detailing an observed attack deploying the SmokeLoader malware to target organizations in Tawian, particularly in sectors like manufacturing, healthcare and information technology. Casey Ellis, Founder and Advisor at Bugcrowd, remarks, “Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs). The use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world.”

SmokeLoader is an adaptable, modular malware that can be utilized for a variety of needs. While SmokeLoader is typically used as a downloader to deliver malware, the research shows that in this case, it is used to download plugins from its C2 server to carry out the attack itself. Microsoft Windows platforms are primarily affected by this attack campaign, in which information can be stolen and leveraged in a later attack. 

John Bambenek, President at Bambenek Consulting, comments, “This particular campaign uses exploits in native Office from 2017 (as opposed to Office 365) and is a reminder that even though tools may be end-or-life’d by the software manufacturer, they may still remain in use and be exploited by attackers. Not everywhere in the world is it possible to have a three year technology refresh cycle. For organizations that have to use dated software, it becomes more important to have strong endpoint detection tools that can detect malware like SmokeLoader, or detects the exploitation behavior that leads the malware to be delivered in the first place.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, adds, “The SmokeLoader campaign targeting Taiwanese industries reflects a strategic focus on sectors critical to national infrastructure and economic stability. The use of modular malware like SmokeLoader, coupled with phishing vectors and exploitation of legacy Office vulnerabilities, highlights a calculated attempt to infiltrate supply chains and exfiltrate sensitive data for long-term strategic gains, potentially enabling follow-on attacks. This campaign underscores a trend of leveraging versatile malware for reconnaissance and persistence in high-value environments.”

Guenther offers the following recommendations for security teams: 

1. “Threat hunting: Actively search for IOCs related to SmokeLoader in network logs and endpoints, focusing on unusual C2 communications and known hash values.
2. “Supply chain risk assessment: Ensure supply chain partners and vendors are adhering to robust cybersecurity practices to mitigate risks of lateral compromise.
3. “Incident readiness: Enhance response playbooks for modular malware incidents, including containment, forensic analysis, and communication protocols with impacted stakeholders.”