Summary: Cybersecurity researchers have identified a new malware named CoffeeLoader, which is designed to download and execute secondary malware payloads while evading detection. This sophisticated loader exhibits behavioral similarities to the previously known SmokeLoader and employs various techniques to bypass security measures. CoffeeLoader primarily targets users through phishing campaigns and exploits vulnerabilities in systems for persistence and execution.
Affected: Organizations and users with cybersecurity products vulnerable to sophisticated malware
Keypoints :
- CoffeeLoader uses advanced evasion techniques, including GPU execution and call stack spoofing.
- It originated around September 2024 and employs a domain generation algorithm (DGA) for fallback communication.
- The malware shares code similarities with SmokeLoader, suggesting it may be a major iteration of the latter.
- CoffeeLoader begins its infection process with a dropper to execute a DLL payload and establishes persistence via scheduled tasks.
- It ultimately contacts a command-and-control server to obtain secondary malware payloads like Rhadamanthys shellcode.
Source: https://thehackernews.com/2025/03/coffeeloader-uses-gpu-based-armoury.html