CoffeeLoader is the latest malware loader observed in the wild, noted for its stealth and complexity. Emerging around September 2024, it delivers second-stage payloads while evading endpoint detection. Built for resilience, CoffeeLoader employs GPU-powered encryption, sleep obfuscation, and Windows fiber techniques to avoid forensic tools. Related: Technical Analysis of Rhadamanthys Obfuscation Techniques Key Takeaways Technical Breakdown The “Armoury” Malware Packer This custom packer mimics ASUS’ Armoury Crate utilities. It hijacks DLL exports and executes shellcode that triggers GPU-based decryption using OpenCL: Using hardcoded XOR strings and OpenCL, payloads remain hidden in memory until needed. This technique complicates static analysis and...
Introduction First detected in December 2022, Rhadamanthys malware is a sophisticated C++ information stealer, primarily delivered via malicious Google Ads. This threat targets credentials stored in web browsers, VPNs, chat clients, and cryptocurrency wallets. While public awareness of Rhadamanthys grew in late 2022, its activity dates back to at least August that year. This deep dive dissects the Rhadamanthys loader and main module, including: If you’re interested in similar malware behavior, check out our coverage of CoffeeLoader malware or this guide on how to manually remove malware. Key Takeaways Technical Analysis Loader Breakdown The Rhadamanthys loader comprises three sequential stages:...
Introduction to SmokeLoader Malware SmokeLoader is a long-standing malware downloader that has remained active in the threat landscape since 2011. Known for its modular architecture and consistent evolution, SmokeLoader serves as a launchpad for delivering other malicious payloads. This in-depth timeline examines the malware’s development across its decade-long activity. In its early years, SmokeLoader employed basic functionality and straightforward distribution. Over time, however, it adopted more advanced features—including custom encryption, obfuscation, plugin support, and anti-analysis methods. These continuous changes allowed it to evade detection and maintain persistence in targeted systems. Throughout this article, we’ll explore the key innovations and functionality...