CoffeeLoader: A Stealthy New Malware Loader Using GPU-Based Evasion
The CoffeeLoader is a newly identified malware loader that began circulating in late 2024. Its primary function is to download and execute second-stage payloads, and it's been engineered specifically to evade antivirus and endpoint detection tools. The malware uses a customized packer, dubbed Armoury, which runs some of its operations on the system’s GPU to avoid detection during analysis. This packer impersonates ASUS’s legitimate Armoury Crate utility, helping it blend in on infected systems. CoffeeLoader starts with a dropper that tries to gain elevated privileges, using UAC bypass techniques if necessary. Once installed, it creates a scheduled task to maintain persistence on user logon or every 10 minutes before executing a stager that loads the main malware component. What makes CoffeeLoader particularly evasive is its use of call stack spoofing, sleep obfuscation, and Windows fibers to hide its activity from EDRs. It masks the origin of function calls, conceals the payload while inactive, and executes code to avoid common detection paths. The malware communicates with its command-and-control (C2) server through HTTPS to fetch additional payloads, including Rhadamanthys shellcode. It also includes a fallback communication method using a domain generation algorithm (DGA) to maintain C2 connectivity if its primary channels are blocked. Analysts have noted several code-level overlaps with SmokeLoader, a well-known loader whose infrastructure was taken down in a law enforcement operation last year. While it’s still unclear whether CoffeeLoader is a direct evolution of SmokeLoader or simply built by the same threat actors, its deployment patterns and internal structure suggest a close connection.
Update: Firefox and Chrome Sandbox Escape Vulnerabilities Prompt Critical Security Updates
Mozilla has issued a critical patch for a vulnerability in Firefox (CVE-2025-2857) that could allow a sandbox escape on Windows systems. The flaw stems from an incorrect handle in the browser's inter-process communication (IPC) code, which could allow a compromised child process to trick the parent into returning a more privileged handle. If exploited, this flaw could enable an attacker to break out of the browser’s sandbox environment, potentially leading to broader system compromise. The issue affects Firefox standard and ESR releases and has been resolved in versions 136.0.4, 115.21.1 ESR, and 128.8.1 ESR. While there is no public evidence that this Firefox-specific vulnerability has been exploited in the wild, its similarity to a recent Chrome zero-day raises concern. Google addressed a nearly identical flaw in Chrome (CVE-2025-2783) just days earlier, which had already been exploited in the wild. Attackers used phishing emails to lure targets into clicking links that opened malicious websites in Chrome, where the flaw was chained with another exploit to escape the sandbox and execute code remotely. Victims included media outlets, educational institutions, and government organizations in Russia. This vulnerability was serious enough for CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by April 17, 2025. While Mozilla’s flaw has not yet been observed in active use, its timely discovery and patch suggest rapid cross-browser security analysis following Google’s disclosure. Firefox, Chrome, and Tor Browser users are strongly urged to update immediately to mitigate these risks.
Morphing Meerkat: A Sophisticated PhaaS Operation Using DNS MX Records and Global Targeting
Researchers have uncovered a highly advanced phishing-as-a-service (PhaaS) operation known as Morphing Meerkat, which uses DNS mail exchange (MX) records to identify a target's email provider and dynamically generate realistic phishing pages. The operation impersonates over 100 brands and crafts login pages tailored to services like Gmail, Outlook, or Yahoo, creating a seamless experience that matches the spam email's theme. If a specific MX record can't be identified, the kit defaults to a Roundcube login screen. This tailored phishing approach significantly increases the likelihood of victims entering their credentials, as the login pages look legitimate and contextually appropriate. The campaign, first observed by Forcepoint and tracked by Infoblox, has relied on open redirects through adtech platforms, including Google DoubleClick and compromised WordPress domains, to distribute phishing emails and evade detection. The emails typically link to presumed shared documents, leading victims to malicious login pages hosted on Cloudflare R2. Morphing Meerkat also exfiltrates stolen credentials through Telegram channels and supports dynamic text translation in more than a dozen languages, allowing the campaign to target users globally. In addition to language flexibility, the phishing kit includes anti-analysis features that disable right-clicks and common hotkeys to prevent users from viewing source code or saving the page. The combination of DNS-based targeting, layered evasion tactics, and global accessibility makes Morphing Meerkat one of the more advanced and deceptive phishing operations currently active.
