Advanced CoffeeLoader Malware Evades Security to Deliver Rhadamanthys Shellcode
gbhackersSecurity researchers at Zscaler ThreatLabz have identified a new sophisticated malware family called CoffeeLoader, which emerged around September 2024.
This advanced loader employs numerous techniques to bypass security solutions and evade detection while delivering second-stage payloads, particularly the Rhadamanthys stealer.
CoffeeLoader utilizes a specialized packer named Armoury that leverages the GPU to execute code, hindering analysis in virtual environments.
The malware implements call stack spoofing, sleep obfuscation, and Windows fibers to defeat endpoint security software.
Additionally, it uses a domain generation algorithm (DGA) as a backup communication channel and certificate pinning to prevent TLS man-in-the-middle attacks.
Rhadamanthys Stealer: A Potent Threat
The primary payload delivered by CoffeeLoader is the Rhadamanthys stealer, a C++ information-stealing malware that has been active since late 2022.
Rhadamanthys targets a wide range of sensitive data, including credentials from web browsers, VPN clients, email clients, chat applications, and ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE