Photo Closeup of Person's Finger on WiFi Button on Smartphone
© ymgerman/

Researchers have discovered a new malware strain that uses WiFi access points to determine the location of infected devices, scanning for WiFi data every 60 seconds.

The new malware strain, “Whiffy Recon,” is raising alarm bells in the cybersecurity community. In a report on Wednesday, the Secureworks’ Counter Threat Unit research team said the malware is being spread using the SmokeLoader botnet.

It is unclear why the threat actors behind Whiffy Recon are tracking user data. However, threat actors are usually motivated by financial gain.

“Because SmokeLoader is commonly used by financially motivated cyber criminals, we can speculate that the data could be used as a scare tactic in order to apply pressure to victims if they wanted to extort money from them,” Secureworks told VPNOverview in an email on Friday.

How Whiffy Recon Determines a Target’s Location

Whiffy Recon collects data about a target’s WiFi access points and queries Google Geolocation API to determine their exact location, Securework’s report explained. The malware even checks the encryption method used on the WiFi access point. All this data is relayed to the threat actor.

Whiffy Recon places a shortcut in the Windows Startup folder, ensuring it runs every time a compromised system is restarted.

Interestingly, the malware checks for the wireless AutoConfig service (WLAN) on Windows systems yet does not verify if the service works, potentially limiting its spread.

Whiffy Recon is uncommon, as most malware strains are designed to steal data or lock down the system in ransomware attacks.

“It is plausible that the threat actors have access to other data on the device via the SmokeLoader infection. It is not unusual for a single compromised machine with SmokeLoader to have multiple malware strains dropped to it,” Secureworks said.

“Whiffy Recon may be used in conjunction with this data to create a complete picture of the compromised machine. It is possible that the threat actors are looking to locate higher value targets traveling to businesses of interest.”

Security Recommendations

Secureworks’ report leaves several unanswered questions about the unsettling malware’s origin and true intent, given its uncommon focus on real-time location tracking.

“Unfortunately, the underlying technology that uses Wi-fi access points and cell tower data to generate co-ordinates, limits mitigation strategies. Taking steps to avoid infection of SmokeLoader is key to preventing Whiffy Recon from entering the system in the first place,” the researchers said.

Secureworks recommends checking your Startup folder for a wlan.lnk for Whiffy Recon and, if it exists, removing it.

“Whilst we have only observed Whiffy Recon being dropped by SmokeLoader to date, it is possible that it may be distributed via other vectors in the future,” Secureworks said.

We recommend you use an antivirus solution with real-time protection to protect your system from potentially malicious files and apps. We’ve tested numerous antivirus solutions and detailed our experience with them. You’ll find our top picks in our article about the best antivirus software.

For more macOS security alerts, follow us on X (Twitter), Threads, and Mastodon!

Leave a comment