Cybersecurity experts are highlighting the emergence of a new sophisticated malware known as CoffeeLoader, designed to download and execute secondary payloads while evading detection by endpoint-based security solutions.
According to research by Zscaler ThreatLabz, CoffeeLoader exhibits behavioral similarities with another known malware loader, SmokeLoader.
Brett Stone-Gross, senior director of threat intelligence at Zscaler, notes that “the purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products.”
CoffeeLoader utilizes a range of techniques to bypass security solutions, including a specialized packer that leverages the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
CoffeeLoader, which first emerged around September 2024, employs a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels are disrupted.
At the core of the malware is a packer called Armoury, which executes code on a system’s GPU to complicate analysis in virtual environments. The name “Armoury” is derived from its resemblance to the legitimate Armoury Crate utility developed by ASUS.
The infection sequence begins with a dropper that attempts to execute a DLL payload packed by Armoury, either “ArmouryAIOSDK.dll” or “ArmouryA.dll”, with elevated privileges. If the dropper lacks the necessary permissions, it attempts to bypass User Account Control (UAC).
The dropper also establishes persistence on the host by creating a scheduled task that runs either upon user logon with the highest run level or every 10 minutes. This is followed by the execution of a stager component that loads the main module.
According to Stone-Gross, “the main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs), including call stack spoofing, sleep obfuscation, and leveraging Windows Fibers.”
These techniques can fake a call stack to obscure the origin of a function call and obfuscate the payload while it is in a sleep state, allowing it to sidestep detection by security software.
The ultimate objective of CoffeeLoader is to contact a C2 server via HTTPS to obtain the next-stage malware, including commands to inject and execute Rhadamanthys shellcode.
Zscaler notes that CoffeeLoader shares commonalities with SmokeLoader at the source code level, suggesting it may be the next major iteration of the latter, particularly following a law enforcement effort that took down its infrastructure last year.
“There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear,” the company states.
This development comes as Seqrite Labs details a phishing email campaign that initiates a multi-stage infection chain, dropping an information-stealing malware known as Snake Keylogger.
Additionally, there has been another cluster of activity targeting users engaging in cryptocurrency trading via Reddit posts, tricking them into installing stealers like Lumma and Atomic on Windows and macOS systems.
