Security researchers at Zscaler ThreatLabz have recently discovered a new and highly sophisticated malware family known as CoffeeLoader. This advanced loader, which first emerged around September 2024, has been designed to bypass security solutions and avoid detection while delivering second-stage payloads, particularly the Rhadamanthys stealer.
CoffeeLoader utilizes a specialized packer called Armoury that takes advantage of the GPU to execute code, making it difficult to analyze in virtual environments. In addition, the malware employs call stack spoofing, sleep obfuscation, and Windows fibers to outsmart endpoint security software. To further enhance its stealth capabilities, CoffeeLoader uses a domain generation algorithm (DGA) as a backup communication channel and implements certificate pinning to prevent TLS man-in-the-middle attacks.
The primary threat posed by CoffeeLoader is the delivery of the Rhadamanthys stealer, a powerful C++ information-stealing malware that has been active since late 2022. This malicious software targets a wide range of sensitive data, including credentials from web browsers, VPN clients, email clients, chat applications, and cryptocurrency wallets. Recent updates to Rhadamanthys have introduced AI-powered capabilities such as optical character recognition (OCR) for extracting cryptocurrency wallet seed phrases from images. This feature, known as “Seed Phrase Image Recognition,” significantly heightens the risk to cryptocurrency users.
The distribution of CoffeeLoader has been observed through SmokeLoader, with both malware families exhibiting similar behaviors. On the other hand, Rhadamanthys is primarily spread through malicious Google advertisements that masquerade as legitimate software platforms like AnyDesk, Zoom, Microsoft Teams, and Notepad++. The infection chain of CoffeeLoader typically consists of three components: the Dropper, the Rhadamanthys Loader (second shellcode), and the Rhadamanthys Stealer (Nsis module). This multi-layered approach enables the malware to maintain its stealth and effectiveness during the infection process.
As cybercriminals continue to refine their tactics, the combination of CoffeeLoader’s advanced evasion techniques and Rhadamanthys’ potent information-stealing capabilities poses a significant threat to both organizations and individuals. It is imperative for security professionals to remain vigilant and implement robust defense mechanisms to safeguard against these sophisticated malware families.
In conclusion, the emergence of CoffeeLoader and its partnership with the Rhadamanthys stealer underscores the need for proactive cybersecurity measures. By staying informed about the latest threats and deploying effective security strategies, organizations can better protect themselves against malicious attacks in an ever-evolving digital landscape.