SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coffee_loader (Back to overview)

CoffeeLoader


Zscaler ThreatLabz states that this sophisticated malware family likely originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer called Armoury that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. It also contains a backup DGA and is capable of deploying Rhadamanthys shellcode. ThreatLabz has observed CoffeeLoader being distributed via SmokeLoader, and both malware families share some behavioral similarities.

References
2025-03-26ZscalerBrett Stone-Gross
CoffeeLoader: A Brew of Stealthy Techniques
CoffeeLoader

There is no Yara-Signature yet.