Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader.
The campaign “uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families,” Cyderes Howler Cell Threat Intelligence team said in an analysis.
CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025.
The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive.
Present within the ZIP file is a renamed legitimate Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using “mshta.exe.”
To establish persistence, the malware creates a scheduled task that mimics Google by using the name “GoogleTaskSystem136.0.7023.12” along with an identifier-like string. It’s configured to run every 30 minutes for 10 years by invoking “mshta.exe” with a fallback domain.
It also checks if CrowdStrike’s Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI). If the service is detected, the persistence command is tweaked to “cmd.exe /c start /b mshta.exe
CountLoader is equipped to profile the compromised host and fetch the next-stage payload. The newest version of the malware adds capabilities to propagate via removable USB drives and execute the malware directly in memory via “mshta.exe” or PowerShell. The complete list of supported features is as follows-
- Download an executable from a provided URL and execute it
- Download a ZIP archive from a provided URL and executes either a Python-based module or an EXE file present within it
- Download a DLL from a provided URL and run it via “rundll32.exe”
- Download an MSI installer package and install it
- Remove a scheduled task used by the loader
- Collect and exfiltrate extensive system information
- Spread via removable media by creating malicious shortcuts (LNK) next to their hidden original counterparts that, when launched, execute the original file and run the malware via “mshta.exe” with a C2 parameter
- Directly launch “mshta.exe” against a provided URL
- Execute a remote PowerShell payload in memory
In the attack chain observed by Cyderes, the final payload deployed by the CountLoader is an information stealer known as ACR Stealer, which is equipped to harvest sensitive data from infected hosts.
“This campaign highlights CountLoader’s ongoing evolution and increased sophistication, reinforcing the need for proactive detection and layered defense strategies,” Cyderes said. “Its ability to deliver ACR Stealer through a multi-stage process starting from Python library tampering to in-memory shellcode unpacking highlights a growing trend of signed binary abuse and fileless execution tactics.”
YouTube Ghost Network Delivers GachiLoader
The disclosure comes as Check Point disclosed details of a new, heavily obfuscated JavaScript malware loader dubbed GachiLoader that’s written in Node.js. The malware is distributed by means of the YouTube Ghost Network, a network of compromised YouTube accounts that engage in malware distribution.
“One variant of GachiLoader deploys a second-stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection,” security researchers Sven Rath and Jaromír Hořejší said. “This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.”
As many as 100 YouTube videos have been flagged as part of the campaign, amassing approximately 220.000 views. These videos were uploaded from 39 compromised accounts, with the first video dating back to December 22, 2024. A majority of these videos have since been taken down by Google.
In at least one case, GachiLoader has served as a conduit for the Rhadamanthys information stealer malware. Like other loaders, GachiLoader is used to deploy additional payloads to an infected machine, while simultaneously performing a series of anti-analysis checks to fly under the radar.
It also verifies if it’s running in an elevated context by executing the “net session” command. In the event the execution fails, it attempts to start itself with admin privileges, which, in turn, triggers a User Account Control (UAC) prompt. There are high chances that the victim will allow it to continue, as the malware is likely to be distributed through fake installers for popular software, as outlined in the case of CountLoader.
In the last phase, the malware attempts to kill “SecHealthUI.exe,” a process associated with Microsoft Defender, and configures Defender exclusions to avoid the security solution from flagging malicious payloads staged in certain folders (e.g., C:Users, C:ProgramData, and C:Windows).
GachiLoader then proceeds to either directly fetch the final payload from a remote URL or employ another loader named “kidkadi.node,” which then loads the main malware by abusing Vectored Exception Handling.
“The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique,” Check Point said. “This highlights the need for security researchers to stay up-to-date with malware techniques such as PE injections and to proactively look for new ways in which malware authors try to evade detection.”
