Known as CoffeeLoader, this malware family is built for multi-stage attacks, infecting systems and using GPU-assisted decryption to slip past traditional security tools.
For the less technically inclined: CoffeeLoader uses the GPU as a kind of co-processor — offloading parts of its decryption and unpacking routines to the graphics card. This makes it harder for antivirus software and sandbox environments to detect what it’s doing.
Simply put, CoffeeLoader sneaks in quietly, hides in plain sight, and pulls in more dangerous second-stage malware to finish the job.
CoffeeLoader looks to potentially be the next evolution of the notorious SmokeLoader malware, which took down companies in Taiwan across multiple sectors in late 2024.
The pair share architectural similarities and both use self-modifying shellcode to protect their payloads, but CoffeeLoader goes beyond through its sophisticated use of GPU-based execution and stealth features designed to foil modern Endpoint Detection and Responses (EDRs).
Zscaler’s ThreatLabz analysts note that while the malware loader market is crowded, CoffeeLoader’s innovative offensive capabilities keep it a persistent threat, like using the Windows task scheduler to keep a system infected.
The malware also uses a technique known as sleep obfuscation to hide from security tools that scan memory.
As the ThreatLabz team explains: “Using [sleep obfuscation], the malware’s code and data are encrypted while in a sleep state. Thus, the malware’s (unencrypted) artifacts are present in memory only when its code is being executed.”
As GPUs become increasingly critical to AI workloads in data centres, CoffeeLoader serves as a timely reminder that attackers are eyeing the same hardware for both stealth and speed.
RELATED STORIES
BT boosts security offering with Zscaler
Nvidia risks 'IBM moment' amid costly GPU strategy and AI shift
