CountLoader: A New Malware Loader Linked to Russian Ransomware Groups

Researchers at Silent Push have identified a newly emerging malware loader dubbed CountLoader, which they assess to be linked with multiple ransomware groups—primarily Russian-speaking cybercriminals. The campaign is notable for its phishing lures targeting Ukrainian citizens, including a PDF impersonating the Ukrainian National Police.

According to the report, “our team recently discovered a malware sample with unique behavior and varied attribution descriptions in VirusTotal. After a thorough investigation, we were able to confirm the sample was a new malware loader we assess to be associated with multiple ransomware groups, primarily Russian-speaking cybercriminals.”

Silent Push’s investigation began when researchers noticed suspicious domains such as app-updater[.]app, app-updater1[.]app, and app-updater2[.]app. These domains had been flagged by other security companies, but their role was unclear. Silent Push explains, “CountLoader attempts a connection to many different C2s, retrying up to a million times, and we believe this partial activity is what both Cyfirma and Kaspersky were observing in their respective reports.”

Using proprietary fingerprinting methods—including HHV, JARM, and ssl.CHV fields—the team linked the infrastructure to over 20 unique domains used in the campaign.

Silent Push observed three different versions of CountLoader:

• JScript-based (.hta file) – the most advanced and feature-rich version.
• .NET binary – less functional but obfuscated with custom techniques.
• PowerShell script – a lightweight variant only ~20 lines long.

The JScript version stood out for its sophistication. As the report notes, “it is the most thorough implementation, offering six different methods for file downloading, three different methods for executing various downloadable malware binaries, and a predefined function to identify a victim’s device based on Windows domain information.”

Persistence is achieved by creating scheduled tasks disguised as Google Chrome update jobs, while communication with C2 servers uses XOR + Base64 encryption.

The campaign actively targets Ukrainian citizens through phishing. Silent Push confirmed that “an ongoing PDF-based lure campaign remains active at the time of writing this blog (August 2025).” The PDF, written in Ukrainian, falsely claims to be a summons from the National Police of Ukraine, tricking victims into opening the malware.

Payload analysis revealed CountLoader delivering:

• Cobalt Strike beacons
• Adaptix C2 malware
• PureHVNC remote access tools
• Lumma Stealer

Notably, the malware prioritizes domain-joined systems, suggesting a focus on enterprise environments.

Silent Push uncovered links between CountLoader’s infrastructure and known ransomware affiliates. By analyzing Cobalt Strike watermark IDs, they tied activity to BlackBasta, Qilin, and even LockBit operations. The researchers explained, “based on all of the above, our team assesses with high confidence that CountLoader serves either as an IAB or ransomware affiliate and has apparent connections to the LockBit, BlackBasta, and Qilin ransomware groups.”

The use of the Windows Music folder as a staging ground—a technique also observed in LockBit intrusions—further strengthens these ties.

Related Posts:

• Three Ukrainian hackers arrested for stealing 15 million credit card records in the US
• Google’s TAG Disrupts Russian Cyber Campaigns Targeting Ukraine
• The National Police Agency have the ability to crack iPhone
• U.S. ​​aid to Ukraine’s cybersecurity to $10 million
• British police trial new mobile fingerprint device: identify criminals within 1 minute