Jun 3, 2026
C2 Hosts: 2
CountLoader
According to Silent Push, this malware exists in multiple versions, including .NET, PowerShell, and JScript. They believe it is part of an IAB toolset or used by a affiliate with ties to LockBit, BlackBasta, and Qilin ransomware groups. CountLoader was also recently used in a PDF-based phishing lure targeting individuals in Ukraine, in a campaign that impersonated the Ukrainian police.
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 3, 2026 | 2 |
Further Reading
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader opens in a new tab
Discover how the latest CountLoader variant facilitates a multistage malware attack, culminating in the deployment of the ACR Stealer for credential theft.
cyderes.com
CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions opens in a new tab
Silent Push discovered a new malware loader, we're naming “CountLoader.” The threat is served in .NET, PowerShell, and JScript versions.
silentpush.com