Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
1 malware family

CountLoader

Also known asCountLoader

CountLoader is a threat actor associated with malware campaigns targeting cryptocurrency users, with a significant concentration of victims in India. Reported activity includes distribution of a fake Google Notes browser extension that steals cryptocurrency by replacing copied wallet addresses with attacker-controlled addresses during transactions. The malware reportedly abuses Chromium browser trust mechanisms to install the extension without user approval and uses EtherHiding to retrieve command-and-control infrastructure from the blockchain, complicating detection and takedown. CountLoader has also been observed using a lure file named "source code of carbanak backdoor discovered.exe" to target security researchers. Its infrastructure includes the domain ccleaner[.]gl resolving to 192.109.200[.]130. Additional reported infrastructure included burning-edge[.]sbs at 65.21.174[.]205, where phpMyAdmin and MySQL were exposed. CountLoader’s HTA payload reportedly targeted more than 50 cryptocurrency wallet browser extensions, more than 40 Chromium-based browsers, and hardware wallet software including Ledger Live and Trezor. Persistence included a scheduled task named "CCleanerTaskID" with a 30-minute interval and 760-day expiry, and the malware also spread via USB drives using LNK files with mshta callbacks. The content also notes infrastructure overlap between CountLoader and other criminal activity: CountLoader’s ccleaner[.]gl infrastructure at 192.109.200[.]130 was hosted in the same 192.109.200.0/24 PFCLOUD UG block as a QuasarRAT "Sentinel" command-and-control server at 192.109.200[.]147. No nation-state attribution is stated in the content. Known alias in the provided content: countloader.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇮🇳 India
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.003
Virtual Private Server
TA0002
Execution
2 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.007
JavaScript
TA0003
Persistence
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0004
Privilege Escalation
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0005
Stealth
2 techniques
T1036
Masquerading
T1218
System Binary Proxy Execution
T1218.005
Mshta
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0009
Collection
1 technique
T1115
Clipboard Data
IOCS

Observables

15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables15

Domains, IPs, and hashes tied to this actor, refreshed continuously.