Pierluigi Paganini
March 31, 2025
Zscaler ThreatLabz discovered CoffeeLoader, a malware family active since September 2024, that uses multiple techniques to evade endpoint security while downloading second-stage payloads. The advanced techniques used by the malware include GPU-based packing, call stack spoofing, sleep obfuscation, and Windows fibers. CoffeeLoader is distributed via SmokeLoader, with which it shares behavioral similarities.
“CoffeeLoader implements a number of features to defeat endpoint security software such as call stack spoofing, sleep obfuscation, and the use of Windows fibers.” reads the report published by Zscaler. “The loader leverages a packer, which we named Armoury, that executes code on a system’s GPU to hinder analysis in virtual environments.”
CoffeeLoader uses a domain generation algorithm (DGA) if the primary command and control servers are unavailable.
ThreatLabz researchers reported that the malware is being used to deploy Rhadamanthys info-stealer.
The samples are protected by a unique malware packer that utilizes a system’s GPU to execute code, making analysis in virtual environments more difficult. Experts have been tracking this packer as Armoury because it impersonates the legitimate Armoury Crate utility developed by ASUS.
The CoffeeLoader dropper executes an installation routine, with multiple variants implementing different functionalities. One version copies the packed DLL (ArmouryAIOSDK.dll) to the user’s temp directory and executes it via rundll32.exe, using either direct execution (with elevated privileges) or a UAC bypass (if not elevated). The researchers noted that this variant does not maintain persistence.
Other versions achieve persistence by copying the DLL to %PROGRAMDATA% (with elevated privileges) or %LOCALAPPDATA% (without), setting restrictive file permissions, and scheduling a task (AsusUpdateServiceUA) via schtasks.exe or the Windows ITaskScheduler COM interface. Older versions schedule execution on user logon, while recent ones set it to run every 10 minutes.
Once installation is complete, the dropper executes CoffeeLoader’s stager component and exits.
The malware stager creates a suspended dllhost.exe process and injects the main CoffeeLoader module using NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtWriteVirtualMemory. It modifies the thread context to execute the injected code before terminating.
The main module resolves API functions using the DJB2 algorithm and employs advanced evasion techniques, including call stack spoofing, sleep obfuscation, and Windows fibers.
“The main CoffeeLoader module also resolves API function addresses by hash, but uses the DJB2 algorithm.” continues the report. “The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing, sleep obfuscation, and leveraging Windows fibers.”
CoffeeLoader supports several commands that enable it to inject and execute shellcode, executables, and DLLs. These commands include sleeping (0x58), injecting and running shellcode in a specified process (0x87), updating the sleep obfuscation method and timeout (0x89), writing an executable payload to the user’s temporary directory and running it (0x91), and writing a DLL payload to the temporary directory and executing it using rundll32.exe (0x93).
The malware supports call stack spoofing to mask its function call origins, evading security tools that analyze stack traces. It sets up synthetic stack frames and maps system calls dynamically, avoiding user-mode hooks.
For sleep obfuscation, CoffeeLoader encrypts its memory while inactive, decrypting only during execution. It also bypasses Windows Control Flow Guard (CFG) by modifying memory permissions and adding exceptions for key system functions.
ThreatLabz identified several similarities between CoffeeLoader and SmokeLoader, suggesting a possible connection between the two malware. Both malware families use a stager to inject a main module into another process, generate a bot ID based on system details, and create a mutex name linked to the bot ID. They resolve imports using hashing, store internal variables in a global structure, and encrypt network traffic with hardcoded RC4 keys. The two malware also rely heavily on low-level Windows APIs and modify file attributes to remain hidden. They use scheduled tasks for persistence, with CoffeeLoader’s latest version running tasks every 10 minutes without elevated privileges. In December 2024, a new SmokeLoader version was allegedly announced, sharing many evasion techniques with CoffeeLoader. However, it remains unclear whether CoffeeLoader is an evolution of SmokeLoader or if the similarities are coincidental.
“CoffeeLoader joins a crowded market of malware loaders. However, many of the features implemented by the author enable CoffeeLoader to contend with the competition. The loader provides advanced features that are beneficial to threat groups that strive to evade detection from AVs, EDRs, and malware sandboxes.” concludes the report that includes Indicators Of Compromise (IOCs). “The CoffeeLoader developer has integrated innovative offensive red team proof-of-concept ideas such as call stack spoofing, sleep obfuscation, and Windows fibers into the loader. There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ,malware)
