A new family of malware has emerged that is impersonating Asus’s Armoury Crate software and infecting PCs with malicious code. This malware, named CoffeeLoader, may evoke thoughts of a futuristic appliance, but its true intent is far more sinister. Once it infiltrates a system, CoffeeLoader connects to a server to download additional harmful software, specifically an infostealer, which then proceeds to steal sensitive information and credentials. Asus’s Armoury Crate is a proprietary gaming application designed for the company’s range of gaming PCs.
It enables users to manage essential components of their gaming experience, including operating modes and fan speeds. Gamers utilizing Asus desktops and laptops are particularly at risk, as they are likely to seek the functionalities offered by this application. What sets CoffeeLoader apart is its sophisticated design, tailored to target gaming PCs effectively. Not only does it mimic the look of Asus’s software, but it also employs a packer called “Armoury” that loads portions of its code onto the victim’s GPU (graphics processing unit).
Since all users with Asus gaming PCs have GPUs, they are susceptible to this approach. By focusing on the GPU instead of the CPU, the malware cleverly evades detection because most antivirus scanners do not typically monitor GPU activities. CoffeeLoader also uses advanced techniques to evade antivirus software. One such method is Sleep Obfuscation, which allows the malware to conceal itself in system memory within an inactive, encrypted file that remains unreadable.
Additionally, it navigates unusual pathways, such as Windows fibers, to avoid detection during multitasking. Furthermore, the malware provides Call Stack Spoofing, altering the code it leaves behind to mimic benign programs, thus tricking antivirus systems. Discovered by cybersecurity firm Zscaler, CoffeeLoader dates back to September 2024. Due to its technical parallels with another malware called SmokeLoader, experts speculate it may be a new variant, although definitive conclusions have yet to be made.