CountLoader: New Malware Loader Being Served in 3 Different Versions
Essential information
- Published
- 19/09/2025 08:57
- Modified
- 19/09/2025 11:13
- Tags
- .net 2025-09-19 adaptixc2 cobaltstrike countloader evasion techniques initial access broker jscript lumma stealer malware loader phishing powershell purehvnc ransomware ukraine
- Related entities
- 27 observables, 7 techniques (mitre), 5 malware, 1 others
Description
A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.