CountLoader & GachiLoader: Malware Campaigns via Cracked Software and YouTube

December 19, 2025 Faeem BLOGS 0

Two evolving malware loaders — CountLoader and GachiLoader — are being actively distributed through cracked software sites and compromised YouTube accounts, highlighting how cybercriminals are weaponizing trusted platforms and user habits to spread advanced threats.

CountLoader 3.2

  • Distribution vector: Cracked software downloads (e.g., fake Microsoft Word installers).
  • Initial infection: Victims redirected to MediaFire ZIP archives containing:
    • Encrypted ZIP + Word doc with password.
    • Renamed Python interpreter (Setup.exe) configured to fetch CountLoader via mshta.exe.
  • Persistence:
    • Scheduled task named GoogleTaskSystem136.0.7023.12, running every 30 minutes for 10 years.
    • Adjusts execution flow if CrowdStrike Falcon is detected.
  • Capabilities:
    • Download & execute EXEs, DLLs, MSI packages.
    • Exfiltrate system information.
    • Spread via USB drives (malicious LNK shortcuts).
    • Execute payloads in memory via PowerShell or mshta.exe.
  • Final payload: ACR Stealer, harvesting sensitive data.
  • Trend: Abuse of signed binaries + fileless execution tactics.

GachiLoader

  • Distribution vector: YouTube Ghost Network — 39 compromised accounts, ~100 videos, 220K views.
  • Written in: Node.js, heavily obfuscated JavaScript.
  • Payload delivery:
    • Deploys Kidkadi malware using novel PE injection via Vectored Exception Handling.
    • Can load legitimate DLLs, then swap them with malicious payloads on-the-fly.
  • Anti-analysis & evasion:
    • Checks for elevated privileges (net session).
    • Triggers UAC prompt to escalate if needed.
    • Kills Microsoft Defender process (SecHealthUI.exe) and configures exclusions.
  • Payloads observed: Rhadamanthys stealer among others.
  • Final stage: Fetches malware directly from remote URLs or via kidkadi.node.

Risks

  • CountLoader: Long-term persistence, stealthy propagation via USB, modular payload delivery.
  • GachiLoader: Abuse of YouTube trust, advanced PE injection, Defender bypass.
  • Both: Serve as loaders for stealers, RATs, miners, and ransomware, enabling multi-stage compromise.

Defensive Measures

  • For individuals:
    • Avoid cracked software and unofficial download sites.
    • Be cautious of YouTube videos promoting “free” installers.
    • Keep AV/EDR updated; enable real-time protection.
    • Monitor USB devices for suspicious LNK files.
  • For SOC/IR teams:
    • Hunt for scheduled tasks mimicking Google (GoogleTaskSystem...).
    • Monitor mshta.exe and PowerShell for suspicious remote execution.
    • Detect obfuscated Node.js scripts and DLL injection anomalies.
    • Block known malicious domains and MediaFire links used in campaigns.
    • Watch for Defender exclusions being added silently.

Takeaway

CountLoader and GachiLoader exemplify modern loader evolution: modular, stealthy, and distributed via platforms users trust (software repositories, YouTube). Their ability to deliver stealers and RATs through multi-stage chains makes them high-priority threats for both individuals and enterprises.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.