ArmouryLoader Bypassing System Security Protections and Inject Malicious Codes

ArmouryLoader burst onto the threat landscape in late 2024 after hijacking the export table of ASUS’s Armoury Crate utility, turning a trusted gaming companion into an initial entry point for sophisticated malware campaigns.

Since then, security teams have watched a steady uptick in incidents where the loader quietly slips past endpoint telemetry, decrypts its payload in GPU memory, and launches anything from CoffeeLoader to SmokeLoader without dropping a file on disk.

The loader’s ability to select OpenCL-capable devices, combine privilege escalation with advanced obfuscation, and forge call stacks has made it a favourite among financially motivated threat actors targeting both consumer and enterprise environments.

Attackers normally deliver the tampered ArmouryA.dll via spear-phishing archives or compromised software repositories.

Once the malicious DLL is side-loaded, execution enters Stage 1—an ocean of reversible arithmetic operations designed to pad disassembly listings while leaving registers unchanged.

In seconds, Stage 2 spawns a new thread, decrypts the next PE stub and hands execution to Stage 3, where an OpenCL kernel performs XOR on ciphertext blocks entirely on the GPU, preventing sandbox hooks that monitor CPU-bound API calls.

4hou analysts noted the loader’s GPU dependence forces many automated sandboxes into dead paths because they present virtualized, non-accelerated graphics adapters.

The loader’s impact is extensive: tele-working endpoints receive second-stage Trojans, SOCs struggle with opaque call traces, and incident responders confront persistent tasks that re-install freeBuffer hijacks after every reboot.

Digital signatures embedded in the rogue DLL carry the legitimate “ASUSTeK COMPUTER INC.” publisher field, further aiding social-engineering campaigns aimed at non-technical users who trust visible certificates.

Persistence Tactics: Scheduled Tasks That Refuse to Die/

While obfuscation and GPU-side decryption earn most headlines, ArmouryLoader’s persistence layer is the quiet force that guarantees long-term access.

Stage 5 begins by querying TokenElevationType and CheckTokenMembership to decide whether the current context enjoys administrative powers.

If true, the loader copies itself to %PROGRAMDATA%ArmouryAIOSDK.dll, sets System, Hidden and Read-Only attributes, and amends the file’s ACL so that even local administrators receive a “Deny Delete” entry.

The following code fragment—excerpted from the fifth-stage PE—shows how those rights are enforced:-

pList.grfAccessPermissions =
      DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA |
      FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES;
pList.grfAccessMode   = DENY_ACCESS;
SetEntriesInAclW(1, &pList, NULL, &newAcl);
SetNamedSecurityInfoW(L"%ProgramData%\ArmouryAIOSDK.dll",
      SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
      NULL, NULL, newAcl, NULL);

If high integrity is unavailable, Stage 5 downgrades gracefully, dropping the DLL into %LOCALAPPDATA% yet applying identical attribute-hardening. Regardless of path, it invokes schtasks.exe (or, in newer builds, the Task Scheduler COM API) to craft an “AsusUpdateServiceUA” job.

Under elevated contexts the task runs on logon with the /RL HIGHEST flag; else it repeats every 30 minutes under the current user.

Figure 2-5 in the original report (“AsusUpdateServiceUA Properties.png”) depicts the job configured to trigger at each sign-in, cementing the foothold.

Subsequent variants bypass schtasks.exe entirely, calling ITaskDefinition::RegisterTaskDefinition so that EDR rules watching command-line artefacts see nothing anomalous.

A final flourish ensures stealth: ArmouryLoader rewrites the PEB’s ImagePathName and the corresponding LDR_DATA_TABLE_ENTRY strings to “explorer.exe” before using CMLuaUtil to relaunch itself with full administrative rights.

Any security product performing superficial process name checks therefore assumes the privilege escalation originated from the Windows shell.

By chaining tampered digital signatures, encrypted GPU workloads and ACL-hardened scheduled tasks, ArmouryLoader offers a durable, low-noise delivery channel that will likely remain attractive to attackers until defenders harden GPU telemetry and restrict task-registration APIs system-wide.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches