Malware Loader — CountLoader Threat Analysis Report — By CyberDudeBivash Date: September 19, 2025

-

 


Executive summary

CountLoader is a newly observed multi-version malware loader used to deliver post-exploitation tooling (Cobalt Strike, AdaptixC2) and remote access trojans (PureHVNC/PureRAT). It appears in at least three implementations — .NET, PowerShell, and JScript/HTMLA — and has been distributed in PDF/ZIP phishing lures (notably a campaign impersonating Ukrainian police). Public reporting ties CountLoader activity to Russian-language ransomware ecosystems (LockBit, BlackBasta, Qilin) or to Initial Access Broker activity used by those ecosystems. Silent Push+1

1 — Key findings (short)

  • Multi-version loader: .NET, PowerShell, JScript (HTML application) variants have been observed. Silent Push+1

  • Delivery vectors: weaponized PDFs/ZIPs and social-engineering lures (e.g., impersonating Ukrainian police or fake job offers / ClickFix pages). Silent Push+1

  • Post-drop payloads: Cobalt Strike, AdaptixC2, PureHVNC RAT (and other commodity malware/infostealers). The Hacker News+1

  • Infrastructure: >20 domains observed sharing a common “/api/getFile?fn=” path and other fingerprintable traits; sample domains: app-updater[.]app, app-updater1[.]app, app-updater2[.]app, ms-team-ping2[.]com, grouptelecoms[.]com, etc. Silent Push

  • Techniques: use of LOLBins (certutil, bitsadmin, curl, msiexec, rundll32, PowerShell, MSXML/WinHTTP), scheduled task persistence (masquerading as Google/Chrome update), domain-based C2 retry logic (very high retry counts). The Hacker News+1

2 — Technical analysis

2.1 Variants & capabilities

  • JScript / HTA version (most feature-rich): Implements six download methods (curl, PowerShell, MSXML2.XMLHTTP, WinHTTP, bitsadmin, certutil), three execution methods, victim-environment enumeration (domain detection), uses Music folder for staging, and can download DLL/MSI payloads executed with rundll32.exe/msiexec.exe. The Hacker News+1

  • PowerShell version: Previously observed by Kaspersky (earlier June 2025 reporting) and used with “DeepSeek”-style AI phishing decoys. It includes an encrypted/obfuscated command generator and abuse of LOLBins. Silent Push

  • .NET version: Functionally similar but reduced feature set (supports fewer UpdateType commands such as .zip and .exe). Silent Push

2.2 TTPs (high-value)

  • Initial access: Phishing with weaponized PDFs or social engineering (fake police notices, job offers, ClickFix). Silent Push+1

  • Execution & persistence: Execution via HTA, PowerShell; persistence via scheduled task faking Chrome/Google updater. The Hacker News

  • Lateral/tools: Downloads and stages Cobalt Strike, AdaptixC2, PureHVNC RAT; uses proxying/browser traffic manipulation capabilities (BrowserVenom style) in some payloads. The Hacker News

  • Evasion: Uses legitimate OS tools (certutil, bitsadmin, msiexec, rundll32), encrypted command strings, ubiquitous C2 retry loops to blend traffic and complicate takedown. Silent Push+1

3 — Indicators of Compromise (IOCs) — sample list

Domain / Host (sample extracted from public reporting; treat as TLP:AMBER — confirm with your telemetry):
app-updater[.]app, app-updater1[.]app, app-updater2[.]app, ms-team-ping2[.]com, grouptelecoms[.]com, limenlinon[.]com, misctoolsupdate[.]com, officetoolservices[.]com, onlinenetworkupdate[.]com, quasuar[.]com. Silent Push

Network patterns / HTTP path: Requests with /api/getFile?fn= used across multiple related domains (shared path fingerprint). Silent Push

Behavioral IOCs:

  • Creation of scheduled task named to resemble Google/Chrome update. The Hacker News

  • Staging in %USERPROFILE%\Music\ folder or use of Music folder as staging ground. The Hacker News

  • Use of certutil/bitsadmin/curl/msiexec/rundll32 for file retrieval and execution. The Hacker News

Payloads commonly observed: Cobalt Strike beacons, AdaptixC2 implants, PureHVNC RAT, and various infostealers (reported alongside loader domains). The Hacker News+1

Important: this is a non-exhaustive IOC set. CountLoader infrastructure is actively evolving — integrate these IOCs into blocklists and watchlists, but rely primarily on behavior detection and telemetry for coverage. Silent Push

4 — Detection & hunting recipes (practical)

4.1 High-priority EDR / SIEM hunts

  1. Scheduled-task creation with updater-like names
    SIEM/EDR query: detect CreateScheduledTask events where TaskName contains update, google, chrome, updater, and parent process is mshta.exe, wscript.exe, cscript.exe, or powershell.exe. (Tune to reduce false positives.)

  2. Unusual use of LOLBins for file download + execution
    Detect processes invoking certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, rundll32.exe with network-download parameters shortly after mshta/wscript/powershell execution.

  3. HTTP(s) requests to /api/getFile?fn= across multiple domains
    Network telemetry: flag internal hosts making HTTP GET requests to external domains with the path /api/getFile?fn= or similar query string patterns.

  4. Files staged in Music folder
    Endpoint monitoring for creation of new executables, DLLs, or MSI files inside %USERPROFILE%\Music\ (and subfolders), especially if followed by rundll32/msiexec execution.

4.2 Sigma-style example (concept)

title: Suspicious Updater Task Followed by LOLBin Download
id: 8f3d5b2a-CountLoader-hunt
status: experimental
detection:
  selection:
    EventID: 4698               # Task created (Windows)
    TaskName|contains|all:
      - "update"
      - "updater"
      - "google"
      - "chrome"
  condition: selection
level: high

(Adapt for your SIEM and tune for noise.)

4.3 YARA (conceptual) hints

  • YARA for JScript/HTA variants: look for strings referencing multiple download methods (MSXML2.XMLHTTP, WinHttpRequest, bitsadmin, certutil), or api/getFile?fn= literal. Avoid over-broad matching — use combined conditions.

 Mitigations & remediation (actionable)

Immediate (0–24 hours)

  • Block known domains at perimeter/proxy/firewall: ingest the domain list above into DNS and web proxies (and mark for takedown requests where appropriate). Silent Push

  • Deploy/Escalate EDR rules to detect scheduled tasks created by mshta/wscript/cscript/powershell and block suspicious msiexec/rundll32 child executions. The Hacker News

  • Quarantine endpoints that show the /api/getFile?fn= pattern or downloads from the enumerated domains and collect full forensic artifacts (memory, disk image, network capture).

Short term (24–72 hours)

  • Hunt for secondary payloads: search telemetry for Cobalt Strike beacons (known C2 patterns), AdaptixC2 indicators, PureHVNC communications. The Hacker News

  • Reset/revoke credentials for any accounts suspected of compromise; rotate service credentials and MFA tokens where applicable.

Longer term / strategic

  • Block and monitor LOLBins usage via application control policies (allowlist legitimate usages, deny or alert for non-standard contexts). The Hacker News

  • Implement phishing resilience training that includes weaponized PDF awareness and detection of fake update lures. Silent Push

  • Tighten endpoint protections: enable application allowlisting, restrict mshta, wscript, certutil and bitsadmin usage to admin workflows only, and ensure EDR telemetry retention for retrospective hunts.

 Attribution & assessment

  • Who benefits / likely operators: Silent Push (and corroborating sources) assess CountLoader is either an IAB toolkit or being used by ransomware affiliates linked to LockBit, BlackBasta, and Qilin families — i.e., the loader benefits Russian-language ransomware operations. Confidence: medium-high based on payload overlap (Cobalt Strike, AdaptixC2, PureHVNC) and targeting (Ukraine-themed lures). Silent Push+1

  • Operational risk: High for organizations with exposed employees in targeted geographies or those with lax endpoint controls; CountLoader’s multi-method download+execution and modular payload approach makes it a flexible initial access vector that can deliver a variety of post-exploitation tools. Silent Push+1

 Recommended detection playbook (quick checklist)

  1. Ingest the sample domain blocklist into DNS/proxy/URL filtering. Silent Push

  2. Add SIEM rules for /api/getFile?fn= HTTP requests and scheduled task names imitating updaters. Silent Push+1

  3. Hunt for files in %USERPROFILE%\Music\ and for child processes of mshta/wscript spawning rundll32/msiexec. The Hacker News

  4. Search for Cobalt Strike / Adaptix / PureHVNC indicators in network telemetry and EDR. The Hacker News

  5. Revoke exposed credentials; notify affected business units and begin forensic triage if matches found.

 Appendix — Sample IOC block

Domains:
  app-updater[.]app
  app-updater1[.]app
  app-updater2[.]app
  ms-team-ping2[.]com
  grouptelecoms[.]com
  limenlinon[.]com
  misctoolsupdate[.]com
  officetoolservices[.]com
  onlinenetworkupdate[.]com
  quasuar[.]com

HTTP path pattern:
  */api/getFile?fn=*

Detection hints:
  Look for scheduled tasks with 'update' in name created by mshta/wscript/powershell.
  Look for new executables placed under %USERPROFILE%\Music\ and immediate execution via rundll32/msiexec.

(Confirm and expand with your telemetry — IOCs are actively evolving.) Silent Push

 Sources & further reading

  • Silent Push: CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions (detailed technical writeup, domain list, behavioral notes). Silent Push

  • The Hacker News: CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader (summary and context on payloads/attribution). The Hacker News

  • GBHackers / CybersecurityNews / SCWorld / CyberPress — contemporaneous reporting aggregating technical and IOC details. GBHackers+2Cyber Security News+2


Hashtags: #CyberDudeBivash #CountLoader #ThreatIntel #Ransomware #MalwareLoader #IOCs #CyberSecurity #ThreatHunting

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more