
At first glance, the seemingly innocuous name CoffeeLoader might lull one into a false sense of security. Beneath the guise of a “coffee-themed” assistant lies a sophisticated infection mechanism targeting Windows systems—capable of evading antivirus defenses and deploying potent spyware.
Researchers at Zscaler were the first to document the emergence of this new malicious loader, estimating its debut around September 2024. Its primary target: Windows users, whose machines may be compromised under the pretense of installing the official Armoury Crate utility from ASUS. Once embedded, CoffeeLoader proceeds to fetch and deploy malware such as the notorious infostealer Rhadamanthys.
The developers behind CoffeeLoader have employed cutting-edge techniques that render it virtually invisible to conventional security tools. Borrowing tactics from red team operations—typically used for simulating advanced attacks—the malware introduces a suite of stealth mechanisms rarely seen in the wild.
One such method involves the use of a custom packer dubbed Armoury Packer. Rather than executing via the standard CPU, the malicious code leverages the GPU, sidestepping traditional antivirus logic, which seldom monitors graphics processors for threats.
Another obfuscation technique lies in the manipulation of the call stack. Normally, programs leave behind a breadcrumb trail of function calls, allowing analysts to trace their behavior. CoffeeLoader disguises this sequence, masquerading as a legitimate application and slipping past detection.
Also in its arsenal is the use of sleep obfuscation. When dormant, CoffeeLoader encrypts its payload and stores it in system memory in a form inaccessible to security scanners. This ensures that even deep forensic scans fail to detect its presence.
To further cloak its activity, CoffeeLoader exploits Windows Fibers—a feature that allows a single thread to manage multiple tasks without kernel-level intervention. By utilizing fibers, the malware can remain in a sleep-like state, seamlessly shifting between tasks without triggering defensive alarms.
Some analysts have drawn parallels between CoffeeLoader and the previously known SmokeLoader. In December 2024, the creators of SmokeLoader reportedly teased a revamped version, and Zscaler researchers note that CoffeeLoader exhibits features aligning with that announcement. However, conclusive attribution remains premature.
The emergence of CoffeeLoader underscores a growing trend toward increasingly sophisticated evasion techniques. Users are urged to exercise caution even with ostensibly legitimate software and to keep antivirus definitions up to date, in order to enhance the likelihood of detecting such insidious threats.