Cybersecurity researchers are raising red flags over a powerful new threat—CoffeeLoader malware. Astealthy loader designed to deliver second-stage payloads while skillfully evading modern security solutions. Discovered by Zscaler’s ThreatLabz, CoffeeLoader is making waves for its complex evasion tactics Its GPU-based execution model, and similarities to the long-standing SmokeLoader malware.
First spotted in the wild around September 2024, CoffeeLoader stands out for its highly evasive techniques and modular structure. Unlike basic droppers, its main goal is to quietly infiltrate systems and retrieve additional payloads from a remote command-and-control (C2) server. Without triggering antivirus or endpoint detection tools.
Zscaler’s senior threat analyst Brett Stone-Gross said in a technical report, “The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products.”
To achieve this, CoffeeLoader deploys an advanced packer known as Armoury. What makes this packer unique is that it leverages the system’s GPU. A technique rarely seen in the wild—to complicate detection and analysis in virtualized or sandbox environments. Its name derives from its impersonation of ASUS’ legitimate Armoury Crate utility, adding an extra layer of disguise.
The infection process begins with a dropper that attempts to deploy a DLL payload—often named ArmouryAIOSDK.dll or ArmouryA.dll—with administrative privileges. If elevated permissions aren’t available, the malware attempts to bypass User Account Control (UAC) to proceed with execution.
To maintain long-term access, the dropper configures a persistent scheduled task, triggered either upon user logon or every 10 minutes. This leads to the execution of a stager component, which then loads the main CoffeeLoader module.
Once operational, the main module deploys multiple evasion techniques:
- Call stack spoofing: disguises the function call origin, confusing security tools.
- Sleep obfuscation: allows the malware to pause its activity and avoid behavior-based detection during inactive periods.
- Windows Fibers: enables lightweight thread management, further masking malicious execution from monitoring tools.
These capabilities make CoffeeLoader one of the most advanced malware loaders seen in recent years.
Its primary objective is to establish communication with a C2 server over HTTPS. Where it retrieves next-stage malware payloads, such as Rhadamanthys shellcode—a known stealer often used in financially motivated attacks.
Interestingly, researchers found multiple overlaps between CoffeeLoader and the older SmokeLoader malware. Source code similarities, behavioral patterns. And shared infrastructure suggest CoffeeLoader could be the spiritual or technical successor to SmokeLoader—especially after law enforcement operations disrupted SmokeLoader’s network last year.
“There are also notable similarities between SmokeLoader and CoffeeLoader,” Zscaler noted, “with the former distributing the latter, but the exact relationship between the two malware families is not yet clear.”
CoffeeLoader also employs a Domain Generation Algorithm (DGA), which acts as a backup channel for reaching its command server when primary communication paths are blocked. This redundancy makes it harder for defenders to cut off access.
The rise of CoffeeLoader comes amid a broader spike in multi-stage malware campaigns. Just recently, Seqrite Labs flagged a phishing campaign delivering the Snake Keylogger stealer. Meanwhile, other malicious actors have been targeting cryptocurrency traders through fake Reddit posts offering cracked versions of TradingView, leading to the deployment of info-stealers like Lumma and Atomic on both Windows and macOS systems.
As CoffeeLoader continues to evolve, researchers warn that its increasing sophistication makes it a likely candidate to fill the void left by SmokeLoader. With its stealthy loader techniques, GPU-assisted execution, and advanced evasion, it could become a cornerstone in future cybercrime toolkits.
