Skip to main content
Microsoft Security Intelligence
Published Mar 06, 2018 | Updated Mar 08, 2018


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Microsoft Defender Antivirus  detects and removes this threat.

This sophisticated downloader has been observed to download Trojan:Win32/Dofoil.AB and Trojan:Win32/CoinMiner.D in the wild. It injects its code and runs hidden in system programs to avoid detection. 

On March 6, 2018, behavior monitoring and machine learning technologies in Microsoft Defender Antivirus stopped a Dofoil variant (also known as Smoke Loader) that tried to infect more than 400,000 computers. The massive campaign aimed to install a cryptocurrency miner that uses victim computers' resources for coin mining purposes. Learn how artificial intelligence stopped the attack within minutes:

Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign


Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Secure configuration

To ensure you have the best protection, enable the following:

  • Cloud-delivered protection
  • Automatic sample submission

To access these settings on the Windows Defender Security Center app, use the Windows search box to find and open the Windows Defender Security Center. Navigate to Virus & threat protection settings.

Prevent malware infection

To prevent future infection, follow our guide on preventing malware infection.

Follow us