A newly recognized malware loader generally known as CoffeeLoader has been noticed deploying second-stage payloads whereas bypassing endpoint safety measures.
Researchers at Zscaler ThreatLabz have been monitoring the malware since its inception in September 2024 and have noticed its use along side SmokeLoader.
In contrast to conventional malware loaders, CoffeeLoader incorporates a number of methods to keep away from detection. It employs Armoury, a GPU-based packer that impersonates ASUS’ Armoury Crate utility, making evaluation in digital environments tougher.
The loader’s name stack spoofing mechanism masks the origin of operate calls, a technique paying homage to BokuLoader. Moreover, it makes use of sleep obfuscation, encrypting its reminiscence state when idle to evade safety scans.
Learn extra on malware evasion methods: Ransomware Teams Prioritize Protection Evasion for Information Exfiltration
As soon as put in, CoffeeLoader’s dropper copies its payload to particular directories relying on consumer privileges. In circumstances the place administrative rights can be found, the malware establishes persistence utilizing the Home windows Process Scheduler.
Current variations create scheduled duties to run each 10 minutes, an evolution from older iterations that executed each half-hour or at logon.
The stager element injects the principle module right into a suspended system course of, modifying thread execution to make sure the malware runs undetected. The principle module additional reinforces obfuscation by leveraging Home windows fibers – a hardly ever monitored multitasking mechanism.
CoffeeLoader communicates with command-and-control (C2) servers through HTTPS utilizing a hardcoded consumer agent mimicking an iPhone.
To stop interception, it implements certificates pinning. It helps two major request message sorts: registration and activity retrieval.
Upon registration, the malware receives a bot ID earlier than requesting duties, which can embrace shellcode injection, executable deployment or modifying sleep obfuscation settings.
CoffeeLoader represents a major evolution in malware design, combining conventional evasion techniques with GPU-based encryption and complex persistence mechanisms.
“The loader gives superior options which can be helpful to menace teams that try to evade detection from AVs, EDRs, and malware sandboxes,” Zscaler defined.
“There are additionally notable similarities between SmokeLoader and CoffeeLoader, with the previous distributing the latter, however the precise relationship between the 2 malware households just isn’t but clear.”
Risk analysts proceed to observe the event and utilization of this malware software in cybercriminal operations.
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Japanese
Korean
Latin
Portuguese
Russian
Spanish