New Loader “CountLoader” Uses PDFs to Launch Ransomware Attacks

Security researchers have uncovered a sophisticated new malware loader called “CountLoader” that leverages weaponized PDF files to deliver ransomware payloads to victims across multiple regions, with particular focus on Ukrainian targets.

CountLoader represents a significant escalation in malware delivery techniques, operating through three distinct versions: .NET, PowerShell, and JScript implementations.

The malware loader has been directly linked to several prominent ransomware groups, including LockBit, BlackBasta, and Qilin, demonstrating the interconnected nature of modern cybercriminal operations.paste.txt

Silent Push threat analysts who discovered and named the malware assess with medium-high confidence that CountLoader serves as either an Initial Access Broker (IAB) tool or functions as part of a ransomware affiliate’s arsenal.

This assessment is based on technical evidence connecting CountLoader’s dropped agents to malware samples observed in multiple ransomware incidents.paste.txt

The threat actor’s sophisticated targeting methodology became evident through a PDF-based lure campaign specifically designed to impersonate Ukrainian police.

The malicious PDF, distributed in a .zip file named “vymoha_na_yavku” (summons to appear), presents victims with an official-looking document purportedly from the “National Police of Ukraine,” requesting their appearance for questioning.

In the URLhaus malware database, urlhaus[.]abuse[.]ch, our team found several domains labeled “delivering Vidar Infostealer and Emmenhtal malware,” according to the initial reporters.

This social engineering technique exploits current geopolitical tensions to increase the likelihood of victim interaction.paste.txt

Advanced Technical Capabilities

CountLoader’s JScript version stands out as the most comprehensive implementation, containing approximately 850 lines of code with extensive functionality.

At the end of this process, CountLoader starts its main loop. The loop runs once and then continues to run as long as the “start” value is defined in the path of the HTA execution.

The malware employs six different methods for file downloading and three distinct execution techniques, demonstrating the developers’ deep understanding of Windows operating systems and defensive evasion techniques.paste.txt

Command and control infrastructure utilizes a sophisticated domain generation algorithm, attempting connections to sequentially numbered domains following the pattern “ms-team-ping[number].com.”

The malware implements persistent retry mechanisms, attempting up to one million connection attempts across multiple C2 servers. All communications employ XOR encryption with Base64 encoding, using a six-character key extracted from server responses.paste.txt.

If CountLoader receives the “success” string from a C2, it then continues its main operation.

The loader’s persistence mechanisms include registry modifications and scheduled task creation.

CountLoader establishes persistence through the Windows Run Key under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriver” and creates scheduled tasks with names designed to impersonate Google Chrome update processes, such as “GoogleUpdaterTaskSystem135.0.7023.0.”paste.txt

Ransomware Connections

Analysis of CountLoader’s payload delivery revealed multiple high-value targets, with domain-joined systems receiving priority treatment.

Unique function is used here to set the previously received string from the connection phase to be the Authorization Bearer Header for this request.

Corporate environments consistently received additional reconnaissance tasks, including Windows domain enumeration commands and system information gathering.

The malware stages downloaded payloads primarily in users’ “Music” folders, an unusual choice that aligns with tactics previously observed in campaigns.paste.txt

Captured payloads include Cobalt Strike beacons, AdaptixC2 implants, PureHVNC remote access tools, and Lumma Stealer information-gathering malware.

Technical analysis revealed specific Cobalt Strike watermarks (1473793097 and 1357776117) that security researchers have previously linked to BlackBasta, Qilin, and LockBit ransomware operations, establishing clear connections between CountLoader and established ransomware ecosystems.paste.txt

Infrastructure analysis uncovered consistent patterns across the threat actor’s operations, including standardized subdomain naming conventions using “sso” and “login” prefixes designed to blend malicious traffic with legitimate enterprise communications.

This approach suggests automated infrastructure generation capabilities and operational maturity.paste.txt

Mitigations

Organizations should prioritize implementing comprehensive monitoring for CountLoader indicators, particularly those frequently targeted by Russian cybercriminal groups or Advanced Persistent Threat actors.

The malware’s use of legitimate Windows utilities like certutil, bitsadmin, and PowerShell for payload delivery requires behavioral analysis rather than signature-based detection approaches.

Network security teams should monitor for the characteristic “/api/getFile?fn=” URI pattern across HTTP and HTTPS traffic, as this represents a consistent fingerprint across CountLoader variants.

Additionally, monitoring for sequential domain generation attempts and unusual activity within users’ “Music” directories can provide early warning indicators.paste.txt

Email security configurations should include enhanced PDF analysis capabilities, particularly for documents containing embedded scripts or external references.

The Ukrainian police impersonation campaign demonstrates the importance of cultural and regional awareness in threat intelligence, as attackers increasingly leverage geopolitical events to enhance social engineering effectiveness.

The discovery of CountLoader highlights the evolving sophistication of malware delivery mechanisms and underscores the critical importance of multi-layered defensive strategies in combating ransomware operations that span multiple threat actor groups and geographic regions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.