CountLoader

CountLoader is a multi-stage Windows malware loader, frequently implemented as an HTA-based loader executed via mshta.exe, that has been active in the wild since at least June 2025. It is distributed through multiple vectors including cracked software and fake software download sites, SEO poisoning, fake social media posts, direct messages, phishing chains using CHM/HTA content, trojanized installers disguised as CCleaner, and HTML Application payloads disguised with benign extensions such as .wav, .xml, .mp4, .ini, .csv, and .rar. It has also been observed using a lure filename designed to target security researchers: "source code of carbanak backdoor discovered.exe." CountLoader additionally supports USB propagation by replacing files on removable media with malicious LNK shortcuts.

The malware uses layered obfuscation and staged delivery involving malicious EXE launchers, PowerShell, obfuscated JavaScript, HTA execution through mshta.exe, shellcode injection, and in-memory payload execution. Reported behaviors include hiding the HTA window, self-deletion attempts, AMSI bypass, anti-sandbox checks for hostnames such as AZURE-PC and username Bruno, antivirus/process checks including CrowdStrike Falcon, and persistence via scheduled tasks and, in some reporting, an HKCU Run key. It fingerprints infected hosts, communicates with command-and-control infrastructure using a custom encrypted/XOR-plus-base64 protocol, performs an encrypted handshake, and in some cases obtains JWT tokens for authenticated follow-on requests. Observed tasking includes download-and-execute of EXE, DLL, MSI, HTA, Python, and PowerShell payloads, self-uninstall, browser-data theft, LOLBIN-based download, arbitrary HTA/PowerShell execution, domain or Active Directory reconnaissance, and USB spreading.

CountLoader has been used to deliver multiple follow-on payloads, including cryptocurrency clipper malware, LummaStealer, Amatera, Cobalt Strike, AdaptixC2, PureHVNC RAT, PureMiner, and ACR Stealer. In one large McAfee-observed campaign, the final payload was a cryptocurrency clipper running under systeminfo.exe that monitored clipboard contents and replaced copied wallet addresses with attacker-controlled ones; that payload used EtherHiding to retrieve C2 information from the Ethereum blockchain. Separate reporting linked CountLoader activity to a prior crypto-clipper cluster and assessed overlap with the actor behind the Silent Swap campaign.

Breakglass Intelligence described CountLoader as a professionally operated malware-as-a-service platform disguised as a CCleaner installer. That reporting states it targets more than 50 cryptocurrency wallet extensions across more than 40 browsers; later campaign reporting specified targeting of 76 cryptocurrency wallet browser extensions, six desktop wallet applications, and data from 66 Chromium-based browsers. Named targets include MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Ledger Live, Trezor, Exodus, Atomic Wallet, Guarda, KeepKey, and BitBox02. The same reporting also documented a dedicated Active Directory reconnaissance module that collects local system and domain information, group memberships, domain controller connectivity, Domain Admin membership, domain computers, and domain groups, making the malware relevant both for financial theft and enterprise lateral movement preparation.

Observed infrastructure and indicators include domains such as memory-scanner[.]cc, google-services[.]cc, hell1-kitty[.]cc, hell10-kitty[.]cc, alphazero1-endscape[.]cc, api-microservice-us1[.]com, bucket-aws-s1[.]com, fileless-storage-s3[.]cc, ccleaner[.]gl, web3-walletnotify[.]cc, communicationfirewall-security[.]cc, burning-edge[.]sbs, explorer[.]vg, favourite-guide[.]cc, indeanapolice[.]cc, s1-rarlab[.]com, magnusworkspace[.]com, s3-python[.]cc, node1-py-store[.]com, and node2-py-store[.]com. Reported payload/C2 URLs include https://memory-scanner[.]cc/Presentation[.]pdf and https://edr-security-bucket1[.]cc/. Additional reported indicators include the scheduled-task CLSID {0830A3F8-70B8-40E1-A0F3-E0EC9092F861}, sample SHA-256 hashes 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a, 4ee17ce2e1ce0ede59dceabbba28265923ce4e25ddb002617e3cc8f13cfff6a3, e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84, and lure filenames including Travel_X_Config_917.wav, Photos_Daily_v3.0.xml, Meeting_Photos_Temp_6194.mp4, Europe_Dataset_Final_334.ini, Sales_Core_Data_518.csv, Omega_Data_NewYork_2087.xml, and Summer_Data_Primary_44.rar.

Victimology and scale vary by campaign. McAfee reported approximately 86,000 unique infected machines in one large campaign, with about 5,000 connections per minute to sinkholed infrastructure and the highest infection counts in India, followed by Indonesia, the United States, and parts of Southeast Asia. CountLoader has been associated with commodity malware delivery, cryptocurrency theft, and enterprise reconnaissance, and multiple reports assess it as a mature, actively maintained loader operation with rapidly rotating infrastructure.