Security researchers have identified two distinct campaigns distributing sophisticated malware loaders through deceptive distribution channels. The first leverages cracked software downloads to spread an updated variant of CountLoader, a modular malware first observed in mid-2025. Users searching for pirated productivity applications are redirected to archives containing a legitimate Python interpreter configured to fetch and execute the malicious loader from a remote server.
CountLoader establishes persistence by creating a scheduled task masquerading as a Google process and checks for the presence of security tools like CrowdStrike Falcon to evade detection. Once active, it profiles the system and can deliver secondary payloads, such as the ACR Stealer information harvester. Recent versions have enhanced capabilities, including spreading via USB drives and executing code entirely in memory to avoid leaving traces on disk.
In a parallel campaign, a new JavaScript-based loader called GachiLoader is being distributed through a network of hijacked YouTube accounts, luring users with videos promoting malicious downloads. GachiLoader performs extensive anti-analysis checks, attempts privilege escalation, and disables Microsoft Defender components. Both campaigns illustrate a trend toward fileless execution and the abuse of legitimate system tools, underscoring the need for layered security defenses and proactive monitoring.
Read more...