March 28, 2025 | Endpoint Security / Threat Intelligence
A new advanced malware loader known as CoffeeLoader has emerged in the cybersecurity landscape, using GPU-based evasion techniques to bypass Endpoint Detection and Response (EDR) and antivirus solutions. Cybersecurity researchers at Zscaler ThreatLabz have analyzed this sophisticated threat, noting its resemblance to SmokeLoader, another well-known malware loader.
The Purpose and Evasion Techniques of CoffeeLoader
CoffeeLoader is designed to download and execute secondary payloads while remaining undetected by endpoint security measures. It employs a range of obfuscation and anti-analysis techniques, including:
- GPU-based packer (Armoury) – A unique packer that executes code on the system’s graphics processing unit (GPU) instead of the CPU, complicating detection in virtualized environments.
- Call stack spoofing – Manipulating the call stack to obscure function call origins.
- Sleep obfuscation – Encrypting payloads while in a sleep state to evade behavioral analysis.
- Windows Fibers – Using Windows fibers instead of traditional threads to hide execution.
According to Brett Stone-Gross, senior director of threat intelligence at Zscaler, these methods collectively enable CoffeeLoader to operate under the radar of security products.
How CoffeeLoader Infects Systems
First observed in September 2024, CoffeeLoader employs a domain generation algorithm (DGA) as a fallback mechanism when primary command-and-control (C2) servers are unreachable. The infection chain follows a structured approach:
- Initial Dropper – The attack begins with a dropper that executes a malicious DLL payload (ArmouryAIOSDK.dll or ArmouryA.dll), leveraging elevated privileges where possible.
- User Account Control (UAC) Bypass – If the dropper lacks sufficient permissions, it attempts to bypass UAC to escalate its privileges.
- Persistence Mechanism – To ensure long-term access, the dropper creates a scheduled task that runs at user logon or every 10 minutes.
- Stager Execution – A secondary stager component loads the main malware module, activating CoffeeLoader’s evasion capabilities.
- Command-and-Control (C2) Contact – The malware reaches out to a remote C2 server over HTTPS, retrieving and executing additional malicious payloads such as Rhadamanthys shellcode.
Connections to SmokeLoader and Other Threats
Zscaler’s analysis revealed notable code similarities between CoffeeLoader and SmokeLoader, suggesting that CoffeeLoader may be an evolved iteration of its predecessor. The link between the two malware families is reinforced by reports of SmokeLoader distributing CoffeeLoader, though the exact relationship remains unclear.
Additionally, the emergence of CoffeeLoader coincides with other cybercriminal activities, such as:
- A phishing campaign uncovered by Seqrite Labs, delivering Snake Keylogger via multi-stage infection chains.
- A cryptocurrency scam on Reddit, where cracked versions of TradingView were used to lure victims into downloading stealers like Lumma and Atomic, targeting both Windows and macOS users.
The Growing Threat of GPU-Powered Malware
The use of GPU-based techniques in malware is a concerning trend, as traditional security solutions are primarily designed to monitor CPU activity. By executing malicious code on the GPU, CoffeeLoader effectively bypasses conventional detection mechanisms and remains hidden within infected systems.
As cybercriminals continue to innovate, organizations must adapt their security strategies. This includes implementing behavioral analysis, heuristic detection, and hardware-assisted security solutions to counteract threats like CoffeeLoader.
With its sophisticated evasion methods and advanced packing techniques, CoffeeLoader represents a new frontier in stealthy malware—one that cybersecurity teams must address swiftly before it spreads further.