CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.