Perceptive Security
SOC/SIEM Consultancy
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
Published:
19 december 2025 om 15:34:00
Alert date:
19 december 2025 om 16:02:35
Source:
thehackernews.com
Ransomware & Malware, Web Technologies
Cybersecurity researchers discovered a new campaign using cracked software distribution sites to spread CountLoader malware. The campaign employs CountLoader as an initial tool in multistage attacks for access, evasion, and delivery of additional malware families including GachiLoader. The attack vector utilizes cracked software and YouTube videos to distribute the malware. CountLoader is described as a modular and stealthy loader designed to evade detection and establish persistence.
Technical details
CountLoader 3.2 is distributed through cracked software sites, using MediaFire links hosting malicious ZIP archives containing encrypted ZIP files with password-protected Word documents. The malware uses renamed Python interpreter (Setup.exe) to execute malicious commands via mshta.exe. It establishes persistence through scheduled tasks mimicking Google services, running every 30 minutes for 10 years. The malware detects CrowdStrike Falcon and modifies its behavior accordingly. CountLoader can propagate via USB drives, execute in-memory via mshta.exe or PowerShell, and deploys ACR Stealer as final payload. GachiLoader is a Node.js-based JavaScript malware loader distributed through YouTube Ghost Network, using compromised YouTube accounts. It performs anti-analysis checks, attempts UAC bypass, kills SecHealthUI.exe, configures Defender exclusions, and uses Vectored Exception Handling for PE injection through kidkadi.node loader.
Mitigation steps:
Implement proactive detection and layered defense strategies. Monitor for suspicious scheduled tasks mimicking Google services. Watch for mshta.exe and PowerShell execution patterns. Detect USB propagation via malicious LNK files. Monitor for Defender exclusion changes and SecHealthUI.exe termination attempts. Implement behavioral analysis for fileless execution tactics and signed binary abuse detection.
Affected products:
Microsoft Word
Python interpreter
Windows Management Instrumentation (WMI)
CrowdStrike Falcon
Microsoft Defender
Node.js
Related links:
https://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader
https://thehackernews.com/2025/09/researchers-expose-svg-and-purerat.html
https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.html
https://thehackernews.com/2025/02/new-malware-campaign-uses-cracked.html
https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html
https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/
https://learn.microsoft.com/en-us/windows/win32/debug/vectored-exception-handling
https://support.microsoft.com/en-us/windows/user-account-control-settings-d5b2046b-dcb8-54eb-f732-059f321afe18
https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693
https://github.com/CheckPointSW/VectoredOverloading
Related CVE's:
Related threat actors:
IOC's:
GoogleTaskSystem136.0.7023.12, Setup.exe (renamed Python interpreter), mshta.exe, SecHealthUI.exe, kidkadi.node, C:\Users\, C:\ProgramData\, C:\Windows\
This article was created with the assistance of AI technology by Perceptive.