CoffeeLoader Malware: Hiding in Your GPU

CoffeeLoader, malicious downloads, malware, Ophtek, PC Security, security practices, Suspicious links, Updates, , , ,
06
May 2025

A new malware named CoffeeLoader exploits computer GPUs to escape security measures, posing a major threat to PC users.

Cybercriminals are constantly enhancing their tactics and looking for new strategies, and the latest threat is CoffeeLoader – a slice of malware which takes an innovative approach to hiding from security tools. Typically, malware runs on the central processing unit (CPU) of a PC, but CoffeeLoader throws a curveball by executing on the graphics processing unit (GPU). Most security software ignores GPU activity, so CoffeeLoader is able to operate silently in the background.

All malware is a nightmare, but malware which can only be described as ingenious is even worse. That’s why Ophtek’s going to give you a quick run through on what’s happened and how you can keep your PCs safe.

Brewing Trouble: The Tactics of CoffeeLoader

The exact mechanics of how CoffeeLoader infects a system has not, as of yet, been revealed. However, as with most malware, it’s likely that CoffeeLoader is used in conjunction with phishing emails and malicious websites. What is known about CoffeeLoader is its unique approach to protecting itself.

One of CoffeeLoader’s key tactics is to integrate ‘call stack spoofing’ into its attack. Security tools usually track how programs execute by monitoring their call stacks. But what, you may ask, is a call stack? Well, to keep it simple, we’ll describe it as a log of commands showing the program’s activity flow. However, this is where CoffeeLoader’s deceptive streak starts. By distorting its stack, it appears as though it’s running legitimate processes. This allows it to blend in with your usual system activity, avoiding detection with ease.

To strengthen its stealth credentials, CoffeeLoader also employs sleep obfuscation. This is a technique used by threat actors to evade detection by inserting artificial delays or sleep functions into its code. This allows the malware to appear inactive or dormant, a technique which enables it to escape detection by behavioral analysis tools.

Finally, CoffeeLoader exploits Windows fibers – these are lightweight execution threads commonly used by genuine, harmless applications. Manipulating these fibers allows the malware to switch execution paths mid-attack, which makes it more unpredictable and difficult for security programs to trace.

Combined, these three techniques underline the dangerous threat contained within CoffeeLoader. From running on a PC’s GPU and using multiple processes to conceal itself, CoffeeLoader can evade detection and exploit an infected system to its heart’s content.

How Can You Avoid Being Burnt by CoffeeLoader?

As cyber threats become more advanced through attacks such as CoffeeLoader, it’s crucial that PC users adopt these best practices to stay safe and protect their systems:

  • Keep Your Software Updated: one of the simplest ways to protect your IT infrastructure is by ensuring that your applications are kept up-to-date and secure. This can easily be achieved by always downloading the latest software patches and updates as soon as they’re available. Hackers thrive upon outdated software and the associated vulnerabilities, so it’s paramount that you prevent this.
  • Use Advanced Security Tools: Basic anti-malware software is fine for your average PC user, but businesses often need something a little more robust. Advanced security suites offer behavior-based detection that can analyze and recognize unusual activity.
  • Be Careful with Downloads and Links: The internet is full of dangers and hazards, so you should avoid downloading anything from untrusted websites or clicking on links in suspicious emails. The best way forwards with downloads and links is to only trust them if they’re from genuine, legitimate websites – this prevents you from downloading malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Arash Shokouh Takes the Mic on Pillar6 Podcast

Ophtek, Pillar6, Roman Polnar, ,
29
Apr 2025

Ophtek founder Arash Shokouh recently joined the Pillar6 Podcast to share insights on his background, cybersecurity and technology.

Somehow managing to find time in his busy schedule, Arash sat down with Pillar6 host Roman Polnar to discuss the topics in life which really matter. Given Arash’s experience and success throughout his exciting journey through life, it should come as no surprise that the podcast proved to be highly intriguing for listeners. And at a whisker past 40 minutes, it’s brisk enough to keep your wits alight without overstaying its welcome.

The Pillar6 Podcast has been going strong for over five years now, diving into real conversations about money, life, and success and most importantly, keeping these balanced. Money, argues Pillar6, can’t give you a shortcut to unadulterated happiness, but it can give you a helping hand in positively calibrating your work/life balance – a non-negotiable necessity in the frantic 21st century. Over the course of its 40+ episodes, the Pillar6 podcast has spoken with business owners, attorneys, and AI experts to find out what makes them tick and how they’ve achieved their success.

At the center of these podcasts is host Roman Polnar. Having worked in the financial-advisory profession for over 24 years, Roman has a real talent for drawing out meaningful insights – hence, he’s the ideal guide for deep, engaging conversations on complex and technical subjects. Roman launched Pillar6 Advisors LLC in 2010 after a decade in the corporate world, driven by a clear vision: to build a firm which valued supporting its clients rather than being motivated purely by profits.

In episode 42 of the Pillar6 podcast, Roman finally got Arash into the studio for a comprehensive take on not only Arash’s career so far but also his thoughts on a wide range of contemporary subjects.

With over 20 years of experience in IT, Arash breaks down how everyday users and small businesses can use simple tools to better protect themselves against rising threats like phishing, AI-driven scams, and system intrusions. He explains the importance of adopting a Zero Trust mindset – questioning every request, even from familiar sources – and why a password manager can supercharge your defenses with ease and relatively little investment.

Through engaging stories, including his unexpected recruitment by the CIA, Arash brings these topics to life and offers practical tips for boosting your digital safety. By the end of the episode, you’ll feel more aligned with modern cybersecurity and have a whole host of resources to check out.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Fake File Converter Websites are Pushing Malware

Cobalt Strike, DocuFix, file converters, Gootloader, malware, Ophtek, PDFixers, security software, trusted sites, , , , , , , ,
22
Apr 2025

The FBI has warned that fake online file converters are spreading malware, potentially leading to data theft, financial loss, and ransomware attacks.

Cybercriminals are creating fake file conversion websites which appear to offer free tools for converting documents, images, and other file types. Many people use these types of file converters to convert a PDF to a Word document, extract audio from video files, or change an image file to a more suitable format. However, instead of just providing a conversion service, these malicious websites are also infecting users’ PCs with malware.

This attack is especially dangerous as PC users regularly access file conversion websites, but they don’t realize that these sites could be dangerous. Once a visitor has their converted file, they assume all is well. Unfortunately, behind the scenes, much more is going on.

Converting Your Files into Malware

The fake file converter websites often appear in search engine results or through online ads, making them appear safe and legitimate. Some of the most recent ones to have been identified as being at risk include DocuFix and PDFixers. When a user visits one of these sites, they’re typically instructed to upload the file they want to convert. Once the file is uploaded, the website provides a download link for the “converted” file.

However, this file is not what it seems. Although the downloaded file may be a correctly converted file, it will also have malware hidden in it. As well as containing malware, these fake websites will also analyze files uploaded by users for sensitive data e.g. if someone has uploaded a PDF file containing financial information, the threat actors behind the website will be able to harvest this. In many cases, a correctly converted file isn’t even included in the available download, with malware such as Gootloader and Cobalt Strike being the only files on offer.

The impact of this malware can be catastrophic. Running quietly in the background, it can capture personal data, launch ransomware attacks, or even take control of the PC. Accordingly, all PC users need to tread carefully online.

Staying Safe from the Threat of Fake Converters

File converter websites are incredibly useful, but only when they’re the real deal and do exactly what they claim. However, as most internet users accessing these sites are busy working on something, they don’t always pay attention to the site they’re visiting. And this is where cybercriminals have an opportunity to exploit this trust. Therefore, it’s crucial that you understand these best practices for staying safe:

  • Only Use Trusted Sites: Never use a file converter website that you haven’t thoroughly researched. Always conduct a quick Google search for reviews of the website and carefully read the most recent comments. Even if you’re a regular user of a particular converter website, always double check that the URL is correct – many threat actors mimic official websites by changing a letter or two in order to appear genuine.
  • Be Cautious When Downloading: Always scan any downloaded files from the internet with your security software. These security tools are regularly updated to identify all new strains of malware and can stop you executing any malicious files. Additionally, if a file converter asks you to install further tools to convert your files, you should immediately stop.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Cybercriminals Exploit Tax Season: Stay Alert to Scams

AHKBot, BruteRatel C4, GULoader, Install Patches, malicious emails, malicious sites, Ophtek, Phishing Email, Tax Scams, Update Software, , , , , , , ,
10
Apr 2025

Cybercriminals are exploiting the urgency of tax season to launch phishing scams aimed at stealing personal and financial data.

Once again, the tax filing deadline is fast approaching for Americans and cybercriminals are preparing to take advantage of this seasonal chaos. Microsoft has recently issued a warning about a surge in tax-themed phishing campaigns targeting both individuals and businesses. These scams are designed to look convincing – often replicating official communications from the IRS or trusted tax companies– and are very successful at tricking people into revealing sensitive data or installing malware.

Luckily, Ophtek has your back and we’re here to give you some advice on how you can stay safe.

Understanding Tax-Related Phishing Scams

At the core of these scams are phishing emails which use urgency and fear to catch victims off guard and cause them to commit an action. The emails may, for example, claim there’s a problem with your tax filing, warn of an audit, or promise that a tax refund is due. These emails often contain subject names such as “EMPLOYEE TAX REFUND REPORT” or “Tax Strategy Update Campaign Goals” which, once opened, can install malicious software.

Typically, the emails also contain PDF attachments – with names such as lrs_Verification_Form_1773.pdf – which are used to redirect users to malicious website containing malware. In certain cases, the emails also include links or QR codes that redirect users to fake websites made to resemble genuine tax portals. The goal is simple: get users to enter their personal or financial details or download malware.

But not all of these phishing emails are easily identifiable as threatening or suspicious. Some start with relatively harmless messages to build trust. Once the target feels comfortable, follow-up emails are used to introduce more dangerous content. This makes it more likely the user will activate a malicious payload compared to an email received out of the blue. A wide range of malware has been observed in these attacks with GuLoader, AHKBot, and BruteRatel C4 just a few of those involved.

Protect Your Finances and Your Tax Returns

The financial and personal impact of these attacks can be significant for victims. As well as the potential financial loss, those affected often face further headaches in the form of frozen credit, blacklisting, and stolen tax refunds. For businesses, the consequences can extend to data breaches, costly compliance violations, and significant downtime. Accordingly, you need to tread carefully during tax season and make sure you follow these best practices:

  • Verify Email Authenticity: It’s crucial that you check the authenticity of all emails you receive, especially those which call for an urgent action to be performed. Always check the email address of emails received and make sure they’re not using an unusual domain spelling e.g. I-R-S@tax0ffice.com
  • Be Careful of Attachments and Links: Never open attachments from unknown sources as these could easily contain malware. Likewise, be careful when dealing with links – hover your mouse cursor over any suspicious links to reveal the genuine destination and Google the true URLs to identify any potential threat.
  • Keep Your Software Updated: Finally, make sure that your software is always up-to-date and has the latest security patches installed. This can strengthen your cyber defenses and make it much harder for threat actors to take advantage of software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

TP-Link Routers Exploited with Ease by Vulnerability

cyberattack, default passwords, Ophtek, remote management, router firmware update, security patches, security_updates, TP-Link Archer AX-21, , , , , , ,
08
Apr 2025

A recent cyberattack has compromised thousands of TP-Link routers, turning them into a botnet which spreads malware and launches cyberattacks worldwide.

Cybersecurity researchers have discovered a widespread attack where threat actors exploited a vulnerability (CVE-2023-1389) in TP-Link Archer AX-21 routers. This security flaw allows attackers to take control of unpatched routers remotely, recruiting them – alongside thousands of others – into part of a botnet. What’s a botnet? Well, luckily Ophtek is here to explain: a botnet is a network of infected devices used for malicious activities on a huge scale.

At least 6,000 routers have been affected, with compromised devices being found all across the world in Brazil, Poland, the UK, Bulgaria, and Turkey. Once one of the TP-Link routers are infected, they can spread malware to other devices on the same network or be used as part of a coordinated botnet attack.

How Were the TP-Link Routers Exploited?

The threat-actors behind the attack started by simply scanning the internet for any vulnerable TP-Link routers that had not been updated with the latest security patches. Each time a router was found with the vulnerability in place, the attackers were able to exploit a remote code execution flaw – which allowed the hackers to install malware on the router.

Once infected, these routers became part of the Ballista botnet, which the threat actors were able to control remotely. As more and more routers, and devices connected to them, were recruited, Ballista became even more powerful. This enabled it to spread malware to further PCs and devices, launch DDoS attacks to flood websites and disrupt online services, and steal sensitive data passing through the router.

Why Should PC Users be Concerned?

All modern PCs rely on routers to connect to the internet and internal IT infrastructures, but many people take them for granted and don’t consider them a security risk. Accordingly, many PC users have been caught out by not updating their router’s firmware or keeping their device’s default password, both of which make them easy targets for hackers. As TP-Link router users have discovered, an infected router can quickly become a major security risk, sending data to hackers without the user being aware.

Keeping Your Router Safe from Vulnerabilities

It’s highly likely that you own a router or regularly use a computer connected to one. Regardless of the make and model, all routers have the potential to be compromised by threat actors. Here’s how you can stay safe:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 4