Intel Name: Coffeeloader: a brew of stealthy techniques
Date of Scan: March 27, 2025
Impact: Medium
Summary: “CoffeeLoader: A Brew of Stealthy Techniques” is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis. The loader uses a custom packer, Armoury, which executes code on the system’s GPU, making analysis in virtual environments more difficult. Additionally, CoffeeLoader incorporates a domain generation algorithm (DGA) for fallback communication if primary channels are blocked and uses certificate pinning to prevent TLS man-in-the-middle attacks. It has been observed deploying Rhadamanthys shellcode.
