Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that’s designed to download and execute secondary payloads.
The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader.
“The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products,” Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week.
“The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.”
CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable.
Central to the malware is a packer dubbed Armoury that executes code on a system’s GPU to complicate analysis in virtual environments. It has been so named due to the fact that it impersonates the legitimate Armoury Crate utility developed by ASUS.
The infection sequence starts with a dropper that, among other things, attempts to execute a DLL payload packed by Armoury (“ArmouryAIOSDK.dll” or “ArmouryA.dll”) with elevated privileges, but not before attempting to bypass User Account Control (UAC) if the dropper does not have the necessary permissions.
The dropper is also designed to establish persistence on the host by means of a scheduled task that’s configured to run either upon user logon with the highest run level or every 10 minutes. This step is succeeded by the execution of a stager component that, in turn, loads the main module.
“The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing, sleep obfuscation, and leveraging Windows Fibers,” Stone-Gross said.
These methods are capable of faking a call stack to obscure the origin of a function call and obfuscating the payload while it is in a sleep state, thereby allowing it to sidestep detection by security software.
The ultimate objective of CoffeeLoader is to contact a C2 server via HTTPS in order to obtain the next-stage malware. This includes commands to inject and execute Rhadamanthys shellcode.
Zscaler said it identified a number of commonalities between CoffeeLoader and SmokeLoader at the source code level, raising the possibility that it may be the next major iteration of the latter, particularly in the aftermath of a law enforcement effort last year that took down its infrastructure.
“There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear,” the company said.
The development comes as Seqrite Labs detailed a phishing email campaign to kickstart a multi-stage infection chain that drops an information-stealing malware called Snake Keylogger.
It also follows another cluster of activity that has targeted users engaging in cryptocurrency trading via Reddit posts advertising cracked versions of TradingView to trick users into installing stealers like Lumma and Atomic on Windows and macOS systems.
