"Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups," Silent Push said in an analysis."
"Appearing in three different versions - .NET, PowerShell, and JavaScript - the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. It's worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSeek-related decoys to trick users into installing it."
CountLoader is a modular loader deployed by Russian ransomware affiliates and initial access brokers to deliver post-exploitation tools such as Cobalt Strike, AdaptixC2, and the PureHVNC RAT. The loader is available in .NET, PowerShell, and JavaScript variants and has been used in phishing campaigns against individuals in Ukraine with PDF lures impersonating the National Police. A BrowserVenom implant can reconfigure browsers to force traffic through attacker-controlled proxies for traffic manipulation and data collection. The JavaScript variant implements six download methods, three execution techniques, device identification via Windows domain, system reconnaissance, persistence via a scheduled Chrome update task, and remote command retrieval.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]