By chaining tampered digital signatures, encrypted GPU workloads and ACL-hardened scheduled tasks, ArmouryLoader offers a durable, low-noise delivery channel that will likely remain attractive to attackers until defenders harden GPU telemetry and restrict task-registration APIs system-wide. The loader’s ability to select OpenCL-capable devices, combine privilege escalation with advanced obfuscation, and forge call stacks has made it a favourite among financially motivated threat actors targeting both consumer and enterprise environments. ArmouryLoader burst onto the threat landscape in late 2024 after hijacking the export table of ASUS’s Armoury Crate utility, turning a trusted gaming companion into an initial entry point for sophisticated malware campaigns. The loader’s impact is extensive: tele-working endpoints receive second-stage Trojans, SOCs struggle with opaque call traces, and incident responders confront persistent tasks that re-install freeBuffer hijacks after every reboot. Since then, security teams have watched a steady uptick in incidents where the loader quietly slips past endpoint telemetry, decrypts its payload in GPU memory, and launches anything from CoffeeLoader to SmokeLoader without dropping a file on disk. In seconds, Stage 2 spawns a new thread, decrypts the next PE stub and hands execution to Stage 3, where an OpenCL kernel performs XOR on ciphertext blocks entirely on the GPU, preventing sandbox hooks that monitor CPU-bound API calls. Digital signatures embedded in the rogue DLL carry the legitimate “ASUSTeK COMPUTER INC.” publisher field, further aiding social-engineering campaigns aimed at non-technical users who trust visible certificates. A final flourish ensures stealth: ArmouryLoader rewrites the PEB’s ImagePathName and the corresponding LDR_DATA_TABLE_ENTRY strings to “explorer.exe” before using CMLuaUtil to relaunch itself with full administrative rights. Once the malicious DLL is side-loaded, execution enters Stage 1—an ocean of reversible arithmetic operations designed to pad disassembly listings while leaving registers unchanged. If true, the loader copies itself to %PROGRAMDATA%\ArmouryAIOSDK.dll, sets System, Hidden and Read-Only attributes, and amends the file’s ACL so that even local administrators receive a “Deny Delete” entry. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Any security product performing superficial process name checks therefore assumes the privilege escalation originated from the Windows shell. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. 4hou analysts noted the loader’s GPU dependence forces many automated sandboxes into dead paths because they present virtualized, non-accelerated graphics adapters. Stage 5 begins by querying TokenElevationType and CheckTokenMembership to decide whether the current context enjoys administrative powers.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 29 Jul 2025 20:30:25 +0000