Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.
“CountLoader is being used either as part of an Initial Access Broker’s (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups,” Silent Push said in an analysis.
Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. Silent Push told The Hacker News that it does not have any insight into the nature of malware that was dropped using CountLoader.
It’s worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSeek-related decoys to trick users into installing it.
The attacks, per the Russian cybersecurity vendor, led to the deployment of an implant named BrowserVenom that can reconfigure all browsing instances to force traffic through a proxy controlled by the threat actors, enabling the attackers to manipulate network traffic and collect data.
Silent Push’s investigation has found the JavaScript version is the most fleshed out implementation of the loader, offering six different methods for file downloading, three different methods for executing various malware binaries, and a predefined function to identify a victim’s device based on Windows domain information.
The malware is also capable of gathering system information, setting up persistence on the host by creating a scheduled task that impersonates a Google update task for the Chrome web browser, and connecting to a remote server to await further instructions.
This includes the ability to download and run DLL and MSI installer payloads using rundll32.exe and msiexec.exe, transmit system metadata, and delete the created scheduled task. The six methods used to download files involve the use of curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin, and certutil.exe.
“By using LOLBins like ‘certutil’ and ‘bitsadmin,’ and by implementing an ‘on the fly’ command encryption PowerShell generator, CountLoader’s developers demonstrate here an advanced understanding of the Windows operating system and malware development,” Silent Push said.
A notable aspect of CountLoader is its use of the victim’s Music folder as a staging ground for malware. The .NET flavor shares some degree of functional crossover with its JavaScript counterpart, but supports only two different types of commands (UpdateType.Zip or UpdateType.Exe), indicating a reduced, stripped-down version.
CountLoader is supported by an infrastructure comprising over 20 unique domains, with the malware serving as a conduit for Cobalt Strike, AdaptixC2, and PureHVNC RAT, the last of which is a commercial offering from a threat actor known as PureCoder. It’s worth pointing out that PureHVNC RAT is a predecessor to PureRAT, which is also referred to as ResolverRAT.
Recent campaigns distributing PureHVNC RAT have leveraged the tried-and-tested ClickFix social engineering tactic as a delivery vector, with victims lured to the ClickFix phishing page through fake job offers, per Check Point. The trojan is deployed by means of a Rust-based loader.
“The attacker lured the victim through fake job advertisements, allowing the attacker to execute malicious PowerShell code through the ClickFix phishing technique,” the cybersecurity company said, describing PureCoder as using a revolving set of GitHub accounts to host files that support the functionality of PureRAT.
Analysis of the GitHub commits has revealed that activity was carried out from the timezone UTC+03:00, which corresponds to many countries, including Russia, among others.
The development comes as the DomainTools Investigations team has uncovered the interconnected nature of the Russian ransomware landscape, identifying threat actor movements across groups and the use of tools like AnyDesk and Quick Assist, suggesting operational overlaps.
“Brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains,” DomainTools said. “Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals will choose to work with people they know, regardless of the name of the organization.”
