Mar 28, 2025
Endpoint Security / Threat Intelligence
Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader.
"The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week.
"The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers."
CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable.
Central to the malware is a packer dubbed Armoury that executes code on a system's GPU to complicate analysis in virtual environments. It has been so named due to the fact that it impersonates the legitimate Armoury Crate utility developed by ASUS.
The infection sequence starts with a dropper that, among other things, attempts to execute a DLL payload packed by Armoury ("ArmouryAIOSDK.dll" or "ArmouryA.dll") with elevated privileges, but not before attempting to bypass User Account Control (UAC) if the dropper does not have the necessary permissions.
The dropper is also designed to establish persistence on the host by means of a scheduled task that's configured to run either upon user logon with the highest run level or every 10 minutes. This step is succeeded by the execution of a stager component that, in turn, loads the main module.