GOLD ANDREW

GOLD ANDREW is a financially motivated cybercriminal threat group that operates the Smoke Loader malware distribution network. Smoke Loader (aka Dofoil) emerged in 2011 and has since continuously operated as a pay-per-install loads service distributing malware on behalf of GOLD ANDREW's customers. Smoke Loader is primarily designed to retrieve and execute malware payloads from configured C2 servers or from additional URLs received from a C2 server. It is modular malware and additional plugins distributed from a C2 server enable it to exfiltrate stored credentials and other data, log keystrokes, launch DDoS attacks, and examine infected systems. Smoke Loader is frequently distributed through spam emails, drive-by downloads, and packaged along with pirated software. Malware families distributed by Smoke Loader have included LummaC2, STOP/Djvu ransomware, Vidar, RedLine, AsyncRAT, Pushdo, and TALESHOT.

Smoke Loader was one of the loaders targeted in International law enforcement Operation Endgame in mid-2024. CTU researchers observed disruption caused to Smoke Loader operations at the time but it was able to continue some activity as not all infrastructure associated with the malware was taken down.