Dangerous new CoffeeLoader malware executes on your GPU to get past security tools

Date:
Thu, 27 Mar 2025 17:08:00 +0000

Description:
A new loader was spotted sporting some creative solutions to remain hidden.

FULL STORY ======================================================================Security
researchers Zscaler found a new loader used in different infostealing campaigns CoffeeLoader uses multiple tricks to bypass security and drop additional payloads Interestingly enough, it executes the code on the systems GPU

Security researchers have found a dangerous new malware loader that can evade traditional endpoint detection and response (EDR) solutions in a clever and concerning way.

Researchers from Zscaler ThreatLabz said they recently observed CoffeeLoader in the wild, describing it as a sophisticated malware loader.

For detection evasion, CoffeeLoader uses a number of features, including call stack spoofing, sleep obfuscation, and the use of Windows fibers, the researchers said. Call stacks can be described as a digital breadcrumb trail that records which functions a program has called. Security tools can use
call stacks to track program behavior, and detect suspicious activity. CoffeeLoader, however, hides its tracks by forging a fake breadcrumb trail.

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnions advanced risk assessment tools.

Preferred partner ( What does this mean? ) View Deal Armoury

A malware loaders task usually is to infiltrate a system and execute or download additional malware, such as ransomware or spyware. It acts as the initial infection stage, often evading detection by security tools before deploying the main payload.

Sleep obfuscation makes the malwares code and data encrypted while the tool
is in a sleep state - therefore, the malwares unencrypted artifacts are present in memory only when the code is being executed.

Zscaler describes Windows fibers as an obscure and lightweight mechanism for implementing user-mode multitasking.

Fibers allow a single threat to have multiple execution contexts (fibers), which the application can switch between, manually. CoffeeLoader uses Windows fibers to implement sleep obfuscation.

But perhaps the most concerning aspect of the loader is Armoury, a packer
that executes the code on the systems GPU, hindering analysis in virtual environments.

After the GPU executes the function, the decoded output buffer contains self-modifying shellcode, which is then passed back to the CPU to decrypt and execute the underlying malware, the researchers explained.

ThreatLabz has observed this packer used to protect both SmokeLoader and CoffeeLoader payloads.

The researchers said they saw CoffeeLoader being used to deploy Rhadamanthys shellcode, meaning it is deployed in infostealing campaigns. You might also like One of the most powerful ransomware hacks around has been cracked using some serious GPU power We've rounded up the best password managers Take a
look at our guide to the best authenticator app



======================================================================
Link to news story: https://www.techradar.com/pro/security/dangerous-new-coffeeloader-malware-exec utes-on-your-gpu-to-get-past-security-tools


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)