Cracked Software And Youtube Videos Spread Countloader And...
Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader.
The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence team said in an analysis.
CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader's ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025.
The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive.
Present within the ZIP file is a renamed legitimate Python interpreter ("Setup.exe") that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using "mshta.exe."
To establish persistence, the malware creates a scheduled task that mimics Google by using the name "GoogleTaskSystem136.0.7023.12" along with an identifier-like string. It's configured to run every 30 minutes for 10 years by invoking "mshta.exe" with a fallback domain.
It also checks if CrowdStrike's Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI). If the service is detected, the persistence command is tweaked to "cmd.exe /c start /b mshta.exe
CountLoader is equipped to profile the compromised host and fetch the next-stage payload. The newest version of the malware adds capabilities to propagate via removable USB drives and execute the malware directly in memory via "mshta.exe" or PowerShell. The complete list of supported features is as follows-
In the attack chain observed by Cyderes, the final payload deployed by the CountLoader is an information stealer known as ACR Stealer, which is equipped to harvest sensitive data from infected hosts.
"This campaign highlights CountLoader's ongoing evolution and increased sophistication, reinforcing the need for proactive detection and layered defense s
Source: The Hacker News
