CountLoader: New Malware Loader Being Served in 3 Different Versions
Sept. 19, 2025, 11:13 a.m.
Description
A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.
Tags
Date
- Created: Sept. 19, 2025, 8:57 a.m.
- Published: Sept. 19, 2025, 8:57 a.m.
- Modified: Sept. 19, 2025, 11:13 a.m.
Indicators
- ea410874356e7d27867a4e423f1a818aaea495dfbf068243745c27b80da84fae
- d34ca886266b7ce5f75f4caaa6e48f61e194bb55605c2bc4032ba8af5580b2e7
- b86adcf7b5b8a6e01c48d2c84722919df2d1c613410c32eb43fc8c10b8158c45
- 5e9647e36d2fb46f359036381865efb0e432ff252fae138682cb2da060672c84
- 8a286a315dba36b13e61b6a3458a4bb3acb7818f1e957e0892a35abb37fc9fce
- 233c777937f3b0f83b1f6ae47403e03d1c3f72f650b4c6ae3facec7f2e5da4b5
- 4cb6ec9522d8c1315cd3a2985d2204c634edc579b08a1b132254bd7dd5df72d8
- 17bfe335b2f9037849fda87ae0a7909921a96d8abfafa8111dc5da63cbf11eda
- 64.137.9.118
- 45.61.150.76
- 184.174.96.67
- 162.220.61.172
- 109.176.30.246
- 88.119.174.107
- 180.131.145.73
- chifacanton.phuyufact.com
- quasuar.com
- officetoolservices.com
- onlinenetworkupdate.com
- ms-team-ping2.com
- ms-team-ping.com
- ms-team-connect2.com
- misctoolsupdate.com
- limenlinon.com
- grouptelecoms.com
- gizqt.xyz
- gameupdate-endpoint.com
Additional Informations
- Ukraine