CountLoader
CountLoader is a multi-stage Windows malware loader, frequently delivered as an HTA-based payload executed via mshta.exe and heavily obfuscated to evade detection.
Profile source: Mallory opens in a new tabCountLoader
Family profile
CountLoader is a multi-stage Windows malware loader, frequently delivered as an HTA-based payload executed via mshta.exe and heavily obfuscated to evade detection. Reported infection vectors include phishing attachments, cracked or free software downloads, SEO poisoning, fake social media posts, direct messages, ClickFix-style lures, trojanized installers masquerading as CCleaner, and HTML Application files disguised with benign extensions such as .wav, .xml, .mp4, .ini, .csv, and .rar. It has also been observed spreading via USB drives by replacing files with malicious LNK shortcuts.
Observed execution chains include malicious EXE launchers, PowerShell download cradles, obfuscated JavaScript, HTA execution through mshta.exe, shellcode injection, and in-memory payload execution. CountLoader establishes persistence through scheduled tasks, including names such as CCleanerTaskID and NVIDIA App SelfUpdate_{MD5_hash}, and has also been reported using an HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and HTA relaunch. It performs anti-analysis and evasion checks, including sandbox hostname checks such as AZURE-PC and Bruno, locale checks including SYSTEM/СИСТЕМА, antivirus/process checks including CrowdStrike Falcon, AMSI bypass, hidden or off-screen HTA windows, self-deletion, and alternate execution chains when Falcon is detected.
CountLoader communicates with command-and-control infrastructure using a custom XOR-plus-base64 protocol; reporting also describes a variant that prepended a plaintext six-digit XOR key and, in some versions, additionally encoded traffic as UTF-16LE before base64. It performs encrypted handshakes such as checkStatus, registers infected hosts, obtains JWT tokens for authenticated follow-on requests, and retrieves tasking from endpoints such as /getUpdates. Reported tasking supports download-and-execute of EXE, DLL, MSI, HTA, Python, and PowerShell payloads, rundll32 execution, LOLBIN-based download methods, self-delete/uninstall, browser and wallet data theft, domain or Active Directory reconnaissance, and USB propagation.
The malware fingerprints victims and collects host information including OS, CPU, disk, antivirus, domain details, installed cryptocurrency wallets, browser extensions, and browser profile paths. Multiple reports state that CountLoader targets cryptocurrency wallet extensions at scale, with observed targeting ranging from more than 50 to 76 wallet browser extensions across more than 40 browsers and 66 Chromium-based browser profile paths. Named targets include MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, TronLink, OKX Wallet, Core, UniSat, Tonkeeper, Eternl, Argent X, and Sui Wallet, as well as desktop wallet applications such as Ledger Live, Trezor, Exodus, Atomic Wallet, Guarda, KeepKey, and BitBox02. Breakglass Intelligence also reported a dedicated Active Directory reconnaissance module that collects domain role, SID, group memberships, domain controller connectivity, Domain Admin membership, domain computers, and domain groups, making the malware relevant not only for crypto theft but also for enterprise lateral movement preparation.
CountLoader has been observed delivering multiple follow-on payloads, including cryptocurrency clipper malware, LummaStealer, Amatera, PureRAT, and in one FortiGuard-reported campaign, PureMiner. McAfee linked CountLoader to a large-scale campaign in which the final payload was a cryptocurrency clipper running under systeminfo.exe that monitored clipboard contents and replaced copied wallet addresses with attacker-controlled ones. McAfee sinkholing of a backup domain observed approximately 5,000 connections per minute and about 86,000 unique infected machines, with the highest infection counts in India, followed by Indonesia, the United States, and parts of Southeast Asia; roughly 9,000 infections were attributed to removable media.
Infrastructure associated with CountLoader includes domains such as memory-scanner[.]cc, google-services[.]cc, hell1-kitty[.]cc, hell10-kitty[.]cc, alphazero1-endscape[.]cc, api-microservice-us1[.]com, bucket-aws-s1[.]com, fileless-storage-s3[.]cc, edr-security-bucket1[.]cc, ccleaner[.]gl, web3-walletnotify[.]cc, communicationfirewall-security[.]cc, burning-edge[.]sbs, favourite-guide[.]cc, indeanapolice[.]cc, explorer[.]vg, s1-rarlab[.]com, magnusworkspace[.]com, s3-python[.]cc, node1-py-store[.]com, node2-py-store[.]com, py-installer[.]cc, updateservice1-telegramweb[.]com, debank-api[.]cc, and forest-entity[.]cc. Reported IPs and infrastructure included 192.109.200.130, 82.29.72.214, 65.21.174.205, 45.43.137.82, 194.102.104.221, 178.255.222.234, 85.121.148.80, 78.128.114.182, 194.76.226.162, and 45.156.87.31. One report also tied CountLoader activity to the lure filename "source code of carbanak backdoor discovered.exe," used in rotating campaigns alongside other malware families.
Attribution in the provided reporting is not definitive, but McAfee assessed that a later cryptocurrency clipper campaign overlapped with earlier CountLoader activity and was likely operated by the same threat actor. Breakglass Intelligence described CountLoader as a professionally operated malware-as-a-service platform and assessed it with medium confidence as a Russian-speaking or Eastern European cybercrime operation with strong infrastructure management and dual-use capability for both cryptocurrency theft and enterprise reconnaissance.
Exploited software
Vulnerabilities linked to CountLoader
1 CVEsMITRE ATT&CK
CountLoader in ATT&CK
58 distinct techniquesReporting
Research mentioning CountLoader
Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.
Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog
The campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations.
Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware
One of the most active attack chains involves a loader called CountLoader, which uses MSHTA to deliver LummaStealer and Amatera.
Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper
Researchers have uncovered a large-scale campaign built around a multi-stage loader called CountLoader, which chains together JavaScript, PowerShell, and shellcode to deliver a payload that intercepts and redirects cryptocurrency transactions.
Legacy Microsoft Utility Fuels New Wave of Malware
To date, one of the more active campaigns Bitdefender uncovered involves multi-stage loaders CountLoader and Emmenhtal Loader.
Legacy Microsoft Utility Fuels New Wave of Malware
To date, one of the more active campaigns Bitdefender uncovered involves multi-stage loaders CountLoader and Emmenhtal Loader.
Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog
McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems.
EssentialAcquisition: A Custom Go Financial Trojan Running Raft Consensus C2 on Kubernetes - Breakglass Intelligence - Breakglass Intelligence
The Carbanak filename is used by multiple unrelated campaigns (we have documented it attached to CountLoader, SmokeLoader, and the GoLoader LaaS framework).