ArmouryLoader: New Sophisticated Malware Evades EDRs by Exploiting ASUS Gaming Software and OpenCL GPU Decryption

ArmouryLoader has once again captured the attention of cybersecurity experts, emerging as one of the most technically sophisticated malware loaders in recent memory. Its architecture reflects a mature approach to evading defenses, employing stealthy techniques and deeply embedding itself within trusted software.

The attackers chose ASUS’s Armoury Crate—a utility for managing gaming hardware—as their primary entry point. Specifically, its ArmouryA.dll library is replaced, with the exported function freeBuffer serving as the initial trigger for infection.

This malicious component began circulating as early as 2024 and has since undergone extensive refinement, evolving into a multi-stage Trojan delivery platform. Among the payloads it delivers are well-known malware families such as SmokeLoader and CoffeeLoader.

ArmouryLoader facilitates both privilege escalation and persistent system presence while effectively evading most endpoint detection and response (EDR) solutions. Its standout feature lies in its reliance on OpenCL—a parallel computing framework leveraging GPUs—rendering it ineffective in sandboxed or virtual environments lacking hardware acceleration or 32-bit architecture support.

Its technical arsenal is formidable, employing an array of obfuscation methods: insertion of superfluous instructions, self-decoding code, and spoofed call chains. During execution, it leverages gadgets from legitimate libraries, enabling it to read memory and manipulate jump addresses undetected. By faking the call stack, it obscures the true origin of system calls, making analysis exceedingly difficult.

The loader is structured into eight distinct stages, each responsible for specific operations. The first stage activates shellcode via intercepted export functions. The second, fourth, and sixth stages decrypt payloads through cascading XOR loops. The third stage invokes OpenCL functions to decode shellcode using GPU computation across NVIDIA, AMD, or Intel devices. In the fifth stage, privilege escalation is achieved first by impersonating explorer.exe, followed by exploitation of CMSTPLUA or CMLuaUtil components.

Persistence is maintained via scheduled tasks: if administrative privileges are available, tasks run every 10 minutes with maximum rights; otherwise, they execute every 30 minutes. Malicious files are hidden, set to read-only, and protected via modified ACLs that block user access.

More advanced stages incorporate techniques such as Halo’s Gate—a method for retrieving syscall numbers while bypassing user-mode hooks—and Heaven’s Gate, which enables execution of 64-bit code within the dllhost.exe process on 32-bit systems. The final stage manages memory allocation and execution flow via ROP (Return-Oriented Programming) chains.

A report by Antiy highlights the presence of a unique OpenCL-based decoder that uses XOR operations over strings to generate decryption keys for the shellcode. Analysis of a 1.41 MB sample (MD5: 5A31B05D53C39D4A19C4B2B66139972F) revealed heavy obfuscation, fake ASUS digital signatures, and dynamic API resolution through the Process Environment Block (PEB).

According to the MITRE ATT&CK matrix, ArmouryLoader’s tactics align with multiple techniques:

• T1053: Scheduled Task Execution
• T1546: Event-Triggered Execution
• T1140: File Deobfuscation
• T1620: Defense Evasion via Decryption and Direct System Calls
• T1027: Obfuscated Files or Information

ArmouryLoader stands as a chilling example of how legitimate platforms can be weaponized into intricate malware delivery mechanisms, blurring the line between trusted functionality and malicious intent.