The infection process starts when a user attempts to download a pirated version of a legitimate application, which leads them to a malicious archive hosted on a file-sharing site. This archive contains an encrypted folder and a document providing the password, a tactic used to bypass automated security scans. Once the victim extracts the files, they inadvertently run a renamed Python interpreter that uses the Windows utility mshta.exe to fetch the latest version of CountLoader from a remote server.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
To maintain a long-term presence on the compromised system, the malware creates a scheduled task designed to look like a legitimate Google update service. This task is programmed to execute every thirty minutes for a decade, ensuring the attackers can regain access even after a system reboot. By mimicking common background processes, the malware significantly reduces the likelihood of being noticed by the average user or basic monitoring tools.
The loader also features a specialized detection mechanism to identify if specific enterprise security software, such as CrowdStrike Falcon, is active on the host. It achieves this by querying Windows Management Instrumentation to scan the list of installed antivirus products. Depending on whether the security tool is present, the malware slightly modifies its execution command to use different system binaries in an attempt to fly under the radar of advanced behavioral analysis.
CountLoader has been active since mid-2025 and has a history of delivering dangerous tools like Cobalt Strike and various miners or stealers. This current evolution highlights how attackers continue to weaponize the demand for free software to distribute complex malware. By combining social engineering with living-off-the-land techniques, the campaign remains a potent threat to individuals and organizations that lack strict software installation policies.
Source: Cracked Software And YouTube Videos Spread CountLoader And GachiLoader Malware