In recent months, cybersecurity experts have identified a new and sophisticated malware loader named CountLoader, which utilizes weaponized PDF files to deliver ransomware payloads. First detected in late August 2025, CountLoader has been associated with several Russian-speaking cybercriminal groups, including affiliates of LockBit, BlackBasta, and Qilin.
Deceptive Tactics and Social Engineering
CountLoader employs advanced social engineering techniques by masquerading as legitimate documents, often impersonating Ukrainian law enforcement agencies. This strategy exploits the trust of recipients, leading them to open malicious PDF files that initiate the infection process.
Multiple Variants and Technical Attributes
The malware loader has been observed in three distinct versions, each written in different programming languages:
1. JScript (.hta) Version: This variant offers comprehensive functionality, including multiple methods for downloading and executing additional payloads.
2. .NET Binary Version: This version includes a hardcoded kill switch that deactivates the loader after a predetermined date, adding a layer of control for the attackers.
3. PowerShell Script Version: This concise loader utilizes reflective in-memory execution, allowing it to run directly in memory without leaving traces on the disk.
All variants incorporate a custom command-and-control (C2) communication protocol that employs XOR and Base64 encryption routines to conceal their control traffic, enhancing their stealth capabilities.
Infection Mechanism and Persistence
The infection process begins when a victim opens a weaponized PDF file that contains an embedded HTML Application (HTA) object. This object invokes the Windows mshta.exe engine, which then executes the JScript loader. The HTA script is obfuscated using a JavaScript obfuscator and contains approximately 850 lines of code.
Upon execution, the loader performs the following actions:
– Fingerprinting the System: It collects device-specific details such as hardware identifiers, domain membership, and the presence of antivirus software to generate a unique victim ID.
– Establishing Persistence: The loader creates scheduled tasks to ensure it remains active on the system. For example, it may create a task named GoogleUpdaterTaskSystem that executes the loader at regular intervals.
– Communicating with C2 Servers: It engages in persistent polling loops to communicate with C2 servers, using HTTP POST requests with custom Bearer tokens to fetch tasks.
– Downloading Secondary Payloads: Based on commands from the C2 servers, the loader downloads and executes additional malicious payloads such as Cobalt Strike beacons, Adaptix implants, and pureHVNC backdoors.
Targeted Entities and Geographic Focus
CountLoader has primarily targeted organizations with domain-joined systems in Eastern Europe, suggesting a strategic focus on corporate and governmental entities in that region. The use of lures impersonating the National Police of Ukraine indicates a deliberate attempt to exploit regional trust and authority.
Mitigation Strategies
To protect against threats like CountLoader, organizations should implement the following measures:
– User Education: Train employees to recognize phishing attempts and the dangers of opening unsolicited attachments.
– Email Filtering: Deploy advanced email filtering solutions to detect and block malicious attachments.
– Endpoint Protection: Utilize endpoint detection and response (EDR) solutions to identify and mitigate suspicious activities.
– Regular Updates: Keep all software and systems updated to patch vulnerabilities that could be exploited by malware.
– Network Segmentation: Implement network segmentation to limit the spread of malware within an organization.
Conclusion
The emergence of CountLoader underscores the evolving tactics of cybercriminals who leverage sophisticated social engineering and technical methods to deploy ransomware. By understanding the mechanisms of such threats and implementing robust cybersecurity practices, organizations can enhance their defenses against these malicious activities.
