Technology

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools

March 27, 2025

Security researchers Zscaler found a new loader used in different infostealing campaigns
CoffeeLoader uses multiple tricks to bypass security and drop additional payloads
Interestingly enough, it executes the code on the system’s GPU

Security researchers have found a dangerous new malware loader that can evade traditional endpoint detection and response (EDR) solutions in a clever and concerning way.

Researchers from Zscaler ThreatLabz said they recently observed CoffeeLoader in the wild, describing it as a “sophisticated” malware loader.

For detection evasion, CoffeeLoader uses a number of features, including call stack spoofing, sleep obfuscation, and the use of Windows fibers, the researchers said. Call stacks can be described as a digital breadcrumb trail that records which functions a program has called. Security tools can use call stacks to track program behavior, and detect suspicious activity. CoffeeLoader, however, hides its tracks by forging a fake breadcrumb trail.

Armoury

A malware loader’s task usually is to infiltrate a system and execute or download additional malware, such as ransomware or spyware. It acts as the initial infection stage, often evading detection by security tools before deploying the main payload.

Sleep obfuscation makes the malware’s code and data encrypted while the tool is in a sleep state – therefore, the malware’s unencrypted artifacts are present in memory only when the code is being executed.

Zscaler describes Windows fibers as an “obscure and lightweight mechanism for implementing user-mode multitasking.”

Fibers allow a single threat to have multiple execution contexts (fibers), which the application can switch between, manually. CoffeeLoader uses Windows fibers to implement sleep obfuscation.

But perhaps the most concerning aspect of the loader is Armoury, a packer that executes the code on the system’s GPU, hindering analysis in virtual environments.

“After the GPU executes the function, the decoded output buffer contains self-modifying shellcode, which is then passed back to the CPU to decrypt and execute the underlying malware,” the researchers explained.

“ThreatLabz has observed this packer used to protect both SmokeLoader and CoffeeLoader payloads.”

The researchers said they saw CoffeeLoader being used to deploy Rhadamanthys shellcode, meaning it is deployed in infostealing campaigns.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar