Skip to content
Malware family

CountLoader

CountLoader is a multi-stage Windows malware loader, frequently delivered as an HTA-based payload executed via mshta.exe and heavily obfuscated to evade detection.

Profile source: Mallory opens in a new tab

CountLoader

Family profile

CountLoader is a multi-stage Windows malware loader, frequently delivered as an HTA-based payload executed via mshta.exe and heavily obfuscated to evade detection. Reported infection vectors include phishing attachments, cracked or free software downloads, SEO poisoning, fake social media posts, direct messages, ClickFix-style lures, trojanized installers masquerading as CCleaner, and HTML Application files disguised with benign extensions such as .wav, .xml, .mp4, .ini, .csv, and .rar. It has also been observed spreading via USB drives by replacing files with malicious LNK shortcuts.

Observed execution chains include malicious EXE launchers, PowerShell download cradles, obfuscated JavaScript, HTA execution through mshta.exe, shellcode injection, and in-memory payload execution. CountLoader establishes persistence through scheduled tasks, including names such as CCleanerTaskID and NVIDIA App SelfUpdate_{MD5_hash}, and has also been reported using an HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and HTA relaunch. It performs anti-analysis and evasion checks, including sandbox hostname checks such as AZURE-PC and Bruno, locale checks including SYSTEM/СИСТЕМА, antivirus/process checks including CrowdStrike Falcon, AMSI bypass, hidden or off-screen HTA windows, self-deletion, and alternate execution chains when Falcon is detected.

CountLoader communicates with command-and-control infrastructure using a custom XOR-plus-base64 protocol; reporting also describes a variant that prepended a plaintext six-digit XOR key and, in some versions, additionally encoded traffic as UTF-16LE before base64. It performs encrypted handshakes such as checkStatus, registers infected hosts, obtains JWT tokens for authenticated follow-on requests, and retrieves tasking from endpoints such as /getUpdates. Reported tasking supports download-and-execute of EXE, DLL, MSI, HTA, Python, and PowerShell payloads, rundll32 execution, LOLBIN-based download methods, self-delete/uninstall, browser and wallet data theft, domain or Active Directory reconnaissance, and USB propagation.

The malware fingerprints victims and collects host information including OS, CPU, disk, antivirus, domain details, installed cryptocurrency wallets, browser extensions, and browser profile paths. Multiple reports state that CountLoader targets cryptocurrency wallet extensions at scale, with observed targeting ranging from more than 50 to 76 wallet browser extensions across more than 40 browsers and 66 Chromium-based browser profile paths. Named targets include MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, TronLink, OKX Wallet, Core, UniSat, Tonkeeper, Eternl, Argent X, and Sui Wallet, as well as desktop wallet applications such as Ledger Live, Trezor, Exodus, Atomic Wallet, Guarda, KeepKey, and BitBox02. Breakglass Intelligence also reported a dedicated Active Directory reconnaissance module that collects domain role, SID, group memberships, domain controller connectivity, Domain Admin membership, domain computers, and domain groups, making the malware relevant not only for crypto theft but also for enterprise lateral movement preparation.

CountLoader has been observed delivering multiple follow-on payloads, including cryptocurrency clipper malware, LummaStealer, Amatera, PureRAT, and in one FortiGuard-reported campaign, PureMiner. McAfee linked CountLoader to a large-scale campaign in which the final payload was a cryptocurrency clipper running under systeminfo.exe that monitored clipboard contents and replaced copied wallet addresses with attacker-controlled ones. McAfee sinkholing of a backup domain observed approximately 5,000 connections per minute and about 86,000 unique infected machines, with the highest infection counts in India, followed by Indonesia, the United States, and parts of Southeast Asia; roughly 9,000 infections were attributed to removable media.

Infrastructure associated with CountLoader includes domains such as memory-scanner[.]cc, google-services[.]cc, hell1-kitty[.]cc, hell10-kitty[.]cc, alphazero1-endscape[.]cc, api-microservice-us1[.]com, bucket-aws-s1[.]com, fileless-storage-s3[.]cc, edr-security-bucket1[.]cc, ccleaner[.]gl, web3-walletnotify[.]cc, communicationfirewall-security[.]cc, burning-edge[.]sbs, favourite-guide[.]cc, indeanapolice[.]cc, explorer[.]vg, s1-rarlab[.]com, magnusworkspace[.]com, s3-python[.]cc, node1-py-store[.]com, node2-py-store[.]com, py-installer[.]cc, updateservice1-telegramweb[.]com, debank-api[.]cc, and forest-entity[.]cc. Reported IPs and infrastructure included 192.109.200.130, 82.29.72.214, 65.21.174.205, 45.43.137.82, 194.102.104.221, 178.255.222.234, 85.121.148.80, 78.128.114.182, 194.76.226.162, and 45.156.87.31. One report also tied CountLoader activity to the lure filename "source code of carbanak backdoor discovered.exe," used in rotating campaigns alongside other malware families.

Attribution in the provided reporting is not definitive, but McAfee assessed that a later cryptocurrency clipper campaign overlapped with earlier CountLoader activity and was likely operated by the same threat actor. Breakglass Intelligence described CountLoader as a professionally operated malware-as-a-service platform and assessed it with medium confidence as a Russian-speaking or Eastern European cybercrime operation with strong infrastructure management and dual-use capability for both cryptocurrency theft and enterprise reconnaissance.

Exploited software

Vulnerabilities linked to CountLoader

1 CVEs

MITRE ATT&CK

CountLoader in ATT&CK

58 distinct techniques

Techniques

58 techniques
T1055 Process Injection T1059.001 PowerShell T1027 Obfuscated Files or Information T1547.009 Shortcut Modification T1082 System Information Discovery T1562.001 Disable or Modify Tools T1059.007 JavaScript T1053.005 Scheduled Task T1091 Replication Through Removable Media T1115 Clipboard Data T1071 Application Layer Protocol T1518 Software Discovery T1218.005 Mshta T1620 Reflective Code Loading T1564.003 Hidden Window T1573 Encrypted Channel T1204.002 Malicious File T1036 Masquerading T1059 Command and Scripting Interpreter T1204 User Execution T1105 Ingress Tool Transfer T1566.002 Spearphishing Link T1189 Drive-by Compromise T1608.006 SEO Poisoning T1204.001 Malicious Link T1568 Dynamic Resolution T1036.005 Match Legitimate Resource Name or Location T1140 Deobfuscate/Decode Files or Information T1574.001 DLL T1059.005 Visual Basic T1218.007 Msiexec T1608.001 Upload Malware T1018 Remote System Discovery T1566.001 Spearphishing Attachment T1583.001 Domains T1057 Process Discovery T1120 Peripheral Device Discovery T1573.002 Asymmetric Cryptography T1197 BITS Jobs T1027.006 HTML Smuggling T1497.001 System Checks T1071.001 Web Protocols T1568.002 Domain Generation Algorithms T1005 Data from Local System T1041 Exfiltration Over C2 Channel T1583.003 Virtual Private Server T1036.007 Double File Extension T1482 Domain Trust Discovery T1547.001 Registry Run Keys / Startup Folder T1614.001 System Language Discovery T1069.002 Domain Groups T1555.003 Credentials from Web Browsers T1087.002 Domain Account T1518.001 Security Software Discovery T1070.004 File Deletion T1059.003 Windows Command Shell T1218 System Binary Proxy Execution T1195.001 Compromise Software Dependencies and Development Tools

Reporting

Research mentioning CountLoader

Jun 30
The Hacker News

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.

Jun 30
Mcafee Labs

Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog

The campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations.

May 20
Cyber Security News

Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware

One of the most active attack chains involves a loader called CountLoader, which uses MSHTA to deliver LummaStealer and Amatera.

May 19
Cyber Security News

Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper

Researchers have uncovered a large-scale campaign built around a multi-stage loader called CountLoader, which chains together JavaScript, PowerShell, and shellcode to deliver a payload that intercepts and redirects cryptocurrency transactions.

May 19
Bank Info Security

Legacy Microsoft Utility Fuels New Wave of Malware

To date, one of the more active campaigns Bitdefender uncovered involves multi-stage loaders CountLoader and Emmenhtal Loader.

May 19
Govinfosecurity

Legacy Microsoft Utility Fuels New Wave of Malware

To date, one of the more active campaigns Bitdefender uncovered involves multi-stage loaders CountLoader and Emmenhtal Loader.

May 13
Mcafee Labs

Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog

McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems.

Mar 15
Breakglass Intel

EssentialAcquisition: A Custom Go Financial Trojan Running Raft Consensus C2 on Kubernetes - Breakglass Intelligence - Breakglass Intelligence

The Carbanak filename is used by multiple unrelated campaigns (we have documented it attached to CountLoader, SmokeLoader, and the GoLoader LaaS framework).

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.