GOLD ANDREW

GOLD ANDREW is a financially motivated cybercriminal threat group that operates the Smoke Loader malware distribution network. Smoke Loader (aka Dofoil) emerged in 2011 and has since continuously operated as a pay-per-install loads service distributing malware on behalf of GOLD ANDREW's customers. Smoke Loader is primarily designed to retrieve and execute malware payloads from configured C2 servers or from additional URLs received from a C2 server. It is modular malware and additional plugins distributed from a C2 server enable it to exfiltrate stored credentials and other data, log keystrokes, launch DDOS attacks, and examine infected systems. Smoke Loader is frequently distributed through spam emails, drive-by downloads, and packaged along with pirated software. Malware families distributed by Smoke Loader in the first half of 2024 have included LummaC2, STOP/Djvu ransomware, Vidar, RedLine, AsyncRAT, Pushdo, and TALESHOT.