New Sophisticated Malware CoffeeLoader Bypasses Endpoint Security to Deploy Rhadamanthys Shellcode
Cybersecurity researchers have uncovered a sophisticated new malware strain targeting macOS systems, dubbed “CoffeeLoader,” which employs advanced techniques to bypass endpoint security solutions and deliver Rhadamanthys shellcode payloads. The malware represents a significant evolution in threats targeting Apple’s ecosystem, demonstrating increasing complexity in evasion tactics. Initial analysis indicates that CoffeeLoader exploits legitimate system processes to […] The post New Sophisticated Malware CoffeeLoader Bypasses Endpoint Security to Deploy Rhadamanthys Shellcode appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated new malware strain targeting macOS systems, dubbed “CoffeeLoader,” which employs advanced techniques to bypass endpoint security solutions and deliver Rhadamanthys shellcode payloads.
The malware represents a significant evolution in threats targeting Apple’s ecosystem, demonstrating increasing complexity in evasion tactics.
Initial analysis indicates that CoffeeLoader exploits legitimate system processes to maintain persistence and avoid detection by traditional security measures.
The malware primarily spreads through compromised software downloads and phishing emails containing malicious attachments that appear as legitimate PDF documents or application installers.
Once executed, CoffeeLoader establishes a foothold by modifying system files and creating hidden directories to store its components while simultaneously disabling certain security features native to macOS.
Zscaler researchers identified the threat after observing unusual network traffic patterns from infected systems communicating with command-and-control servers primarily hosted in Eastern Europe.
Their analysis revealed that the malware employs a multi-stage infection process designed to evade detection at each phase of execution, making remediation particularly challenging for security teams.
CoffeeLoader’s attack vector relies on exploiting user privileges, initially presenting itself as a benign application requiring installation permissions.
After gaining these privileges, it deploys a series of obfuscated scripts that establish persistence mechanisms across system restarts while remaining invisible to standard security scans.
The impact extends beyond data theft, as infected systems become part of a larger botnet infrastructure capable of launching distributed attacks or mining cryptocurrency using system resources, significantly degrading performance and potentially causing business disruption.
Infection Mechanism Analysis
The malware’s infection process begins with a seemingly innocuous executable that leverages a technique called “dylib hijacking” to load malicious code into legitimate processes.
This process involves code similar to:-
void inject_payload(void) {
mach_vm_address_t addr;
mach_vm_allocate(task, &addr, payload_size, VM_FLAGS_ANYWHERE);
mach_vm_write(task, addr, (vm_offset_t)payload, payload_size);
thread_act_t thread;
thread_create_running(task, x86_THREAD_STATE64, (thread_state_t)&state, x86_THREAD_STATE64_COUNT, &thread);
}.webp)
Analysts recommend organizations immediately update endpoint protection solutions, implement application allowlisting, and scan for suspicious launch agents or daemons to mitigate this emerging threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post New Sophisticated Malware CoffeeLoader Bypasses Endpoint Security to Deploy Rhadamanthys Shellcode appeared first on Cyber Security News.
