Security researchers at Zscaler ThreatLabz have recently discovered a new sophisticated malware family known as CoffeeLoader. Emerging in September 2024, CoffeeLoader utilizes advanced techniques to evade security solutions and detection. The malware employs a specialized packer named Armoury, which leverages the GPU to execute code, complicating analysis in virtual environments. In addition, it utilizes call stack spoofing, sleep obfuscation, and Windows fibers to bypass endpoint security software.
The primary payload delivered by CoffeeLoader is the Rhadamanthys stealer, a potent C++ malware active since late 2022. Rhadamanthys targets a wide range of sensitive data, including credentials from web browsers, VPN clients, email clients, chat applications, and cryptocurrency wallets. Recent updates to Rhadamanthys have introduced AI-powered features like optical character recognition (OCR) to extract cryptocurrency wallet seed phrases from images. This new capability, known as “Seed Phrase Image Recognition,” significantly enhances the malware’s threat to cryptocurrency users.
CoffeeLoader is primarily distributed through SmokeLoader, and both malware families share similarities in their behavior. The infection chain involves three stages: the Dropper, the Rhadamanthys Loader (second-stage shellcode), and the Rhadamanthys Stealer (Nsis module). This layered approach helps maintain stealth while delivering the payload. Rhadamanthys is also spread through malicious Google ads that impersonate legitimate software platforms, such as AnyDesk, Zoom, Microsoft Teams, and Notepad++.
As cybercriminals evolve their tactics, the combination of CoffeeLoader’s evasion techniques and Rhadamanthys’ potent stealing capabilities poses significant threats. Organizations and individuals must be vigilant and implement strong defense mechanisms to protect against these advanced malware families. The increasing sophistication of malware underscores the need for continuous cybersecurity improvements to counter these emerging threats effectively.
