CountLoader
CountLoader is a threat actor associated with malware campaigns targeting cryptocurrency users, with a significant concentration of victims in India. Reported activity includes distribution of a fake Google Notes browser extension that steals cryptocurrency by replacing copied wallet addresses with attacker-controlled addresses during transactions. The malware reportedly abuses Chromium browser trust mechanisms to install the extension without user approval and uses EtherHiding to retrieve command-and-control infrastructure from the blockchain, complicating detection and takedown. CountLoader has also been observed using a lure file named "source code of carbanak backdoor discovered.exe" to target security researchers. Its infrastructure includes the domain ccleaner[.]gl resolving to 192.109.200[.]130. Additional reported infrastructure included burning-edge[.]sbs at 65.21.174[.]205, where phpMyAdmin and MySQL were exposed. CountLoader’s HTA payload reportedly targeted more than 50 cryptocurrency wallet browser extensions, more than 40 Chromium-based browsers, and hardware wallet software including Ledger Live and Trezor. Persistence included a scheduled task named "CCleanerTaskID" with a 30-minute interval and 760-day expiry, and the malware also spread via USB drives using LNK files with mshta callbacks. The content also notes infrastructure overlap between CountLoader and other criminal activity: CountLoader’s ccleaner[.]gl infrastructure at 192.109.200[.]130 was hosted in the same 192.109.200.0/24 PFCLOUD UG block as a QuasarRAT "Sentinel" command-and-control server at 192.109.200[.]147. No nation-state attribution is stated in the content. Known alias in the provided content: countloader.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇮🇳 India
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Observables
15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated with a malicious campaign distributing a fake Google Notes browser extension that steals cryptocurrency by replacing copied wallet addresses with attacker-controlled ones and uses EtherHiding to retrieve command-and-control infrastructure from the blockchain.
Malware operation using fake CCleaner-themed infrastructure and HTA payloads to target cryptocurrency wallets and lure security researchers, with infrastructure colocated in the same /24 as evilgrou-tech Sentinel C2.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.