CoffeeLoader: A Brew of Stealthy Techniques

March 27, 2025, 2:22 p.m.

Description

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

External References

https://securityboulevard.com/2025/03/coffeeloader-a-brew-of-stealthy-techniques/
https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques
https://otx.alienvault.com/pulse/67e5309946530b6bf94aabf8
Tags
rhadamanthys
smokeloader
2025-03-27
gpu packer
coffeeloader

Date

  • Created: March 27, 2025, 11:03 a.m.
  • Published: March 27, 2025, 11:03 a.m.
  • Modified: March 27, 2025, 2:22 p.m.

Indicators

  • 5fcd2e12723081f512fa438301690fb310610f4de3c191c7c732d56ece7f0499
  • 70fafd3fefca2fd4a061d34e781136f93a47d856987832041d3c703658d60fc1
  • bc1b750338bc3013517e5792da59fba0d9aa3965a9f65c2be7a584e9a70c5d91
  • 5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f
  • 8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
Download all indicators here!

Attack Patterns

  • CoffeeLoader
  • SmokeLoader
  • Rhadamanthys
  • T1102.002
  • T1048
  • T1132.001
  • T1078.003
  • T1573.001
  • T1547.001
  • T1497
  • T1071.001
  • T1106
  • T1055
  • T1134
  • T1140
  • T1027
  • T1078
  • T1059