- The best Google Pixel phones to buy in 2025: Expert Tested
- The 35+ best Amazon Spring Sale Apple deals still live: iPhones, Apple Watches, iPads, and more
- The 25+ best Amazon Spring Sale robot vacuum deals still available
- WP Ultimate CSV Importer Flaws Expose 20,000 Websites to Attacks
- Download the Strategizing Data Analytics for AI Enterprise Spotlight
CoffeeLoader Malware Loader Linked to SmokeLoader Operations
A newly identified malware loader known as CoffeeLoader has been observed deploying second-stage payloads while bypassing endpoint security measures.
Researchers at Zscaler ThreatLabz have been tracking the malware since its inception in September 2024 and have observed its use in conjunction with SmokeLoader.
Unlike traditional malware loaders, CoffeeLoader incorporates multiple techniques to avoid detection. It employs Armoury, a GPU-based packer that impersonates ASUS’ Armoury Crate utility, making analysis in virtual environments more challenging.
The loader’s call stack spoofing mechanism masks the origin of function calls, a strategy reminiscent of BokuLoader. Additionally, it utilizes sleep obfuscation, encrypting its memory state when idle to evade security scans.
Once installed, CoffeeLoader’s dropper copies its payload to specific directories depending on user privileges. In cases where administrative rights are available, the malware establishes persistence using the Windows Task Scheduler.
Recent versions create scheduled tasks to run every 10 minutes, an evolution from older iterations that executed every 30 minutes or at logon.
The stager component injects the main module into a suspended system process, modifying thread execution to ensure the malware runs undetected. The main module further reinforces obfuscation by leveraging Windows fibers – a rarely monitored multitasking mechanism.
CoffeeLoader communicates with command-and-control (C2) servers via HTTPS using a hardcoded user agent mimicking an iPhone.
To prevent interception, it implements certificate pinning. It supports two primary request message types: registration and task retrieval.
Upon registration, the malware receives a bot ID before requesting tasks, which may include shellcode injection, executable deployment or modifying sleep obfuscation settings.
CoffeeLoader represents a significant evolution in malware design, combining traditional evasion tactics with GPU-based encryption and sophisticated persistence mechanisms.
“The loader provides advanced features that are beneficial to threat groups that strive to evade detection from AVs, EDRs, and malware sandboxes,” Zscaler explained.
“There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear.”
Threat analysts continue to monitor the development and usage of this malware tool in cybercriminal operations.
