CoffeeLoader Detection: A New Sophisticated Malware Family Spread via SmokeLoader

Defenders have observed CoffeeLoader, a new stealthy malware that evades security protection using advanced evasion techniques and takes advantage of Red Team methods to boost its effectiveness. Distributed via SmokeLoader, CoffeeLoader implements secondary payloads while evading detection, making its stealthy attacks challenging to detect and defend against.

Detect CoffeeLoader

With more than 1 billion malware strains currently circulating the cyber threat arena and over 300 malware pieces created daily, staying on guard against emerging threats is more critical than ever. Yet, as attack surfaces expand and infiltration tactics evolve, early intrusion detection remains a complex challenge.

SOC Prime Platform curates the world’s largest repository of detection algorithms against emerging threats, enriched with real-time CTI and backed by advanced tools for threat detection and hunting. Stay on top of the latest CoffeeLoader attacks with a set of SIgma rules available by pressing the Explore Detections button.

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK framework to streamline threat investigation. Each rule is also enriched with extensive metadata, including CTI references, attack timelines, triage recommendations, and more.

Additionally, security professionals can hunt for IOCs from the latest Zscaler research on CoffeeLoader. With Uncoder AI, security experts can effortlessly parse these IOCs and transform them into custom queries tailored for the chosen SIEM or EDR platform. Uncoder AI also acts as a non-agentic private AI for threat-informed detection engineering equipping teams with advanced tools to research, code, validate, translate, and deploy detections on the fly. Read more about Uncoder AI capabilities here.

CoffeeLoader Analysis

Zscaler ThreatLabz researchers have uncovered a sophisticated new malicious strain named CoffeeLoader, first detected around September 2024. Designed to stealthily download and execute secondary payloads, CoffeeLoader uses advanced evasion techniques to bypass endpoint security measures. 

CoffeeLoader is an advanced malware loader designed to evade detection while deploying second-stage payloads. Like most crimeware, CoffeeLoader samples are packed. While ThreatLabz usually skips unpacking details, CoffeeLoader stands out by using a unique GPU-based packer that hinders analysis in virtual environments. Tracked as Armoury, this packer mimics ASUS’s legitimate Armoury Crate utility.

Once unpacked, CoffeeLoader executes a dropper that installs the malware. Researchers have identified multiple dropper variants with different functionalities. One version copies the packed CoffeeLoader DLL to the temp directory as ArmouryAIOSDK.dll. If running with admin rights, it executes the DLL via rundll32.exe. Without elevated privileges, it attempts to bypass UAC using the CMSTPLUA COM interface. This variant does not establish persistence and resolves API functions using a custom hashing algorithm.

Some CoffeeLoader samples establish persistence via the Windows Task Scheduler. Older versions use schtasks.exe, while newer ones leverage the ITaskScheduler COM interface. The dropper sets file attributes to read-only, hidden, and system, then uses SetEntriesInAclW to restrict user access to the packed CoffeeLoader DLL.

CoffeeLoader’s dropper maintains persistence via a scheduled task with a hardcoded name. If running with elevated privileges, it executes at user logon with the highest run level; otherwise, it runs every 30 minutes, or every 10 minutes in the latest version.

After installation, the dropper launches CoffeeLoader’s stager and exits. The major CoffeeLoader module resolves API addresses via the DJB2 hash algorithm and employs multiple evasion tactics, including call stack spoofing (inspired by BokuLoader), sleep obfuscation, and Windows fibers to bypass EDR monitoring.

For C2 communication, CoffeeLoader uses HTTPS with hardcoded servers. If primary C2 channels fail, it employs a domain generation algorithm and employs certificate pinning for security. 

The loader is being spread through SmokeLoader, with both malware families exhibiting similar behaviors. Researchers unveiled a set of distinctive similarities between CoffeeLoader and SmokeLoader, the latter frequently used in phishing campaigns against Ukraine linked to the UAC-0006 activity. These shared capabilities include using a stager to inject a main module into another process, bot ID generation based on system identifiers, and mutex creation tied to the bot ID. Both resolve imports by hash, rely on a global structure for internal variables and API function pointers and encrypt network traffic using hardcoded RC4 keys. Additionally, both malware families heavily utilize low-level Windows APIs, set file attributes to system and hidden, and maintain persistence via scheduled tasks. 

Notably, at the end of 2024, a new SmokeLoader version was reportedly announced, sharing many—but not all—advertised EDR and AV evasion features with CoffeeLoader. However, it remains unclear whether CoffeeLoader is its successor or if the similarities are coincidental.

As CoffeeLoader stans out in the cyber threat landscape with advanced features to bypass AVs, EDRs, and sandboxes, while utilizing innovative Red Team techniques to boost its offensive abilities, forward-looking organizations are looking for new ways to strengthen defenses against potential intrusions. SOC Prime Platform equips security teams with cutting-edge enterprise-ready solutions backed by AI, actionable threat intelligence, and collective industry expertise to help organizations reduce the attack surface and outscale evolving threats of any sophistication.