No time to sleep – a new malware family named CoffeeLoader threatens Windows users while remaining invisible to antivirus software.
A new malware loader has been seen in the wild. Despite its harmless-sounding name, CoffeeLoader doesn’t serve your morning espresso – it delivers malicious code straight to your device.
Researchers from cybersecurity firm Zscaler were the first to identify the malware family. According to them, CoffeeLoader originated around September 2024. Windows users are among those most affected by the new threat.
The malware impersonates the Armoury Crate utility created by ASUS to get into a system. After infecting a device, the loader delivers an infostealer. A well-known cyber threat, Rhadamanthys infostealer, is among the malicious payloads that the malware delivers.
CoffeeLoader is barely detectable to antivirus software
The new malware uses numerous techniques to stay invisible from antivirus programs, security tools, and malware detectors while doing its dirty business. This is possible because the CoffeeLoader developer has integrated innovative offensive red team proof-of-concept ideas.
For example, the malware uses Armoury Packer to trick devices. Instead of using the computer’s main processor (CPU), like most programs, the CoffeeLoader runs parts of its code on the graphics card (GPU). Security software isn’t usually designed to check the GPU, so the malware stays hidden.
Another innovative technique to cover its tracks is Call Stack Spoofing. Normally, when programs run, they leave behind a trail of function calls. The CoffeeLoader changes that trail, making it look like something harmless so security tools don’t recognize it as suspicious.
When needed, the malware plays dead or uses Sleep Obfuscation. When not active, the CofeeLoader "locks" itself up in an encrypted form in the computer’s memory. This way, if an antivirus tool scans memory, it won’t find anything readable.
Also, the malware uses unusual pathways to stay unnoticed, such as Windows Fibers. Windows fibers are a simple way to handle multitasking in programs. They let one thread have multiple tasks, called fibers, which the program can switch between on its own instead of relying on Windows.
CoffeeLoader has the option to use Windows fibers to implement sleep obfuscation as yet another way to evade, as security tools may not directly monitor or track them.
An awaited update to SmokeLoader?
CoffeeLoader has many technical similarities with the previously known SmokeLoader malware. In December 2024, SmokeLoader staff allegedly announced a new version of the malware. According to Zscaler researchers, many of the features advertised in the SmokeLoader announcement can be found in CoffeeLoader.
“At the present time, it is too early to determine whether CoffeeLoader is the next version of SmokeLoader or whether these overlaps are a coincidence,” said the research team.
Your email address will not be published. Required fields are markedmarked