• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

0

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

A new malware family is targeting Windows users by impersonating an ASUS utility to deliver malicious code – but perhaps most concerningly, it uses multiple techniques to hide itself from the best antivirus software and other security tools.

As reported by Cybernews, the CoffeeLoader malware, identified by researchers from the cybersecurity firm Zscaler, mimics Asus' Armoury Crate. This utility is used to set up and manage the best gaming laptops from Asus as well as the company's other peripherals.

The researchers say CoffeeLoader originated around September 2024 and has several similarities to the SmokeLoader malware.

Once the malware has infected a system, it delivers several infostealers – among them the well known Rhadamanthys Infostealer. From there, it uses a number of tricks to stay undetected by antivirus programs and other security tools.

For example, it will run code on the infected systems GPU instead of on the computer’s CPU. Since most security programs and antivirus scanners don’t check the GPU, the malware stays hidden.

Another way it covers its tracks is by using a technique called Call Stack Spoofing. While most programs leave behind a trail of function calls, the CoffeeLoader malware can change its own trail in order to make it appear harmless. This keeps it from being recognized as suspicious or harmful by any security software or antivirus programs.

It can also “play dead” or use a technique called Sleep Obfuscation. Basically, when it’s not active, it will “lock” itself up into an encrypted form in the computer's memory; if an antivirus tool scans the memory it won’t find anything readable.

The CoffeeLoader malware also accesses unusual pathways, for example, Windows Fibers, in order to evade detection. Windows Fibers are a way in which programs handle multitasking which allows a program to switch between tasks on its own instead of relying on Windows. The CoffeeLoader can then use these fibers to evade detection since security tools may not monitor them.

How to stay safe

In order to keep your data and your Asus gear safe from the CoffeeLoader malware, you want to ensure that you're downloading Armoury Crate from the company's official site and you can find the download page here.

Hackers often impersonate popular brands and their software as a means to infect unsuspecting users with malware. This is why you always want to go directly to a company's site instead of trusting download links that appear online in forums or even as ads in search results.

Just like anyone else, hackers can easily purchase ad space online and then by crafting a convincing lookalike page, they can trick unsuspecting users into downloading malware onto their PCs through their malicious ads.

Now that we've seen CoffeeLoader impersonate Asus, it's likely that the hackers behind this campaign will try to pose as other popular utilities to recreate this attack. This is why you need to practice good cyber hygiene and remain vigilant online, especially when downloading new software.

More from Tom's Guide

• AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
• Valve just pulled a malicious game demo spreading info-stealing malware from Steam
• New Mac attack is tricking users into thinking their computer is locked — how to stay safe