Smoke Loader Botnet Infects Systems With Custom Wi-Fi Scanning Malware

On August 8, 2023, Secureworks® Counter Threat Unit™ (CTU) researchers discovered the Smoke Loader botnet deploying a custom Wi-Fi scanning tool called Whiffy Recon. This malware, identified by CTU™ researchers, triangulates infected systems' positions via nearby Wi-Fi access points and Google's geolocation API. Whiffy Recon initiates by searching for the WLANSVC service on the compromised Windows system, an indicator of wireless capability. It doesn't verify the service's functionality, only its presence. If the service name is absent, the scanner exits. The malware achieves persistence by creating a wlan.lnk shortcut in the user's Startup folder, linking to the original Whiffy Recon malware location. Read more...