Safety researchers at Zscaler ThreatLabz have recognized a brand new subtle malware household referred to as CoffeeLoader, which emerged round September 2024.
This superior loader employs quite a few methods to bypass safety options and evade detection whereas delivering second-stage payloads, significantly the Rhadamanthys stealer.
CoffeeLoader makes use of a specialised packer named Armoury that leverages the GPU to execute code, hindering evaluation in digital environments.
The malware implements name stack spoofing, sleep obfuscation, and Home windows fibers to defeat endpoint safety software program.
Moreover, it makes use of a site era algorithm (DGA) as a backup communication channel and certificates pinning to forestall TLS man-in-the-middle assaults.
Rhadamanthys Stealer: A Potent Risk
The first payload delivered by CoffeeLoader is the Rhadamanthys stealer, a C++ information-stealing malware that has been energetic since late 2022.
Rhadamanthys targets a variety of delicate knowledge, together with credentials from net browsers, VPN shoppers, electronic mail shoppers, chat purposes, and cryptocurrency wallets.
Latest updates to Rhadamanthys have launched AI-powered capabilities, corresponding to optical character recognition (OCR) for extracting cryptocurrency pockets seed phrases from photos.
Based on the Report, this characteristic, often called “Seed Phrase Picture Recognition,” considerably enhances the malware’s menace to cryptocurrency customers.
An infection Chain and Distribution
CoffeeLoader has been noticed being distributed by way of SmokeLoader, with each malware households sharing behavioral similarities.
Rhadamanthys, alternatively, is primarily unfold by way of malicious Google commercials that mimic professional software program platforms like AnyDesk, Zoom, Microsoft Groups, and Notepad++.
The an infection chain sometimes consists of three elements: the Dropper, the Rhadamanthys Loader (second shellcode), and the Rhadamanthys Stealer (Nsis module).
This layered strategy permits the malware to keep up stealth and efficacy all through the an infection course of.
As cybercriminals proceed to evolve their techniques, the mix of CoffeeLoader’s superior evasion methods and Rhadamanthys’ highly effective stealing capabilities presents a big menace to organizations and people alike.
Safety professionals should stay vigilant and implement sturdy protection mechanisms to guard towards these subtle malware households.
Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get reside Entry with ANY.RUN -> Begin Now for Free.