CoffeeLoader: A Brew of Stealthy Techniques

SUMMARY :

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

OPENCTI LABELS :

rhadamanthys,smokeloader,gpu packer,coffeeloader


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CoffeeLoader: A Brew of Stealthy Techniques