Close Menu
TechurzTechurz
    What's Hot

    Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles

    July 1, 2026

    Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights

    July 1, 2026

    Builders Stage agenda revealed for Disrupt 2026

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    • Builders Stage agenda revealed for Disrupt 2026
    • Startup Battlefield Australia application closes in days: Apply before July 6
    • Acti puts AI agents directly into your smartphone keyboard
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader
    Cyber Reality

    CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader

    TechurzBy TechurzSeptember 18, 2025Updated:May 10, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.

    “CountLoader is being used either as part of an Initial Access Broker’s (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups,” Silent Push said in an analysis.

    Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine.

    It’s worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSeek-related decoys to trick users into installing it.

    The attacks, per the Russian cybersecurity vendor, led to the deployment of an implant named BrowserVenom that can reconfigure all browsing instances to force traffic through a proxy controlled by the threat actors, enabling the attackers to manipulate network traffic and collect data.

    Silent Push’s investigation has found the JavaScript version is the most fleshed out implementation of the loader, offering six different methods for file downloading, three different methods for executing various malware binaries, and a predefined function to identify a victim’s device based on Windows domain information.

    The malware is also capable of gathering system information, setting up persistence on the host by creating a scheduled task that impersonates a Google update task for the Chrome web browser, and connecting to a remote server to await further instructions.

    This includes the ability to download and run DLL and MSI installer payloads using rundll32.exe and msiexec.exe, transmit system metadata, and delete the created scheduled task. The six methods used to download files involve the use of curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin, and certutil.exe.

    “By using LOLBins like ‘certutil’ and ‘bitsadmin,’ and by implementing an ‘on the fly’ command encryption PowerShell generator, CountLoader’s developers demonstrate here an advanced understanding of the Windows operating system and malware development,” Silent Push said.

    A notable aspect of CountLoader is its use of the victim’s Music folder as a staging ground for malware. The .NET flavor shares some degree of functional crossover with its JavaScript counterpart, but supports only two different types of commands (UpdateType.Zip or UpdateType.Exe), indicating a reduced, stripped-down version.

    CountLoader is supported by an infrastructure comprising over 20 unique domains, with the malware serving as a conduit for Cobalt Strike, AdaptixC2, and PureHVNC RAT, the last of which is a commercial offering from a threat actor known as PureCoder. It’s worth pointing out that PureHVNC RAT is a predecessor to PureRAT, which is also referred to as ResolverRAT.

    Recent campaigns distributing PureHVNC RAT have leveraged the tried-and-tested ClickFix social engineering tactic as a delivery vector, with victims lured to the ClickFix phishing page through fake job offers, per Check Point. The trojan is deployed by means of a Rust-based loader.

    “The attacker lured the victim through fake job advertisements, allowing the attacker to execute malicious PowerShell code through the ClickFix phishing technique,” the cybersecurity company said, describing PureCoder as using a revolving set of GitHub accounts to host files that support the functionality of PureRAT.

    Analysis of the GitHub commits has revealed that activity was carried out from the timezone UTC+03:00, which corresponds to many countries, including Russia, among others.

    The development comes as the DomainTools Investigations team has uncovered the interconnected nature of the Russian ransomware landscape, identifying threat actor movements across groups and the use of tools like AnyDesk and Quick Assist, suggesting operational overlaps.

    “Brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains,” DomainTools said. “Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals will choose to work with people they know, regardless of the name of the organization.”

    broadens CountLoader loader malware MultiVersion operations Ransomware Russian
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleChina Turns Legacy Chips Into a Trade Weapon
    Next Article Atlassian’s $1B DX Deal To Measure AI -Driven Development
    Techurz
    • Website

    Related Posts

    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Cyber Reality

    How AI Changing Cyber Crime: 7 Critical Shifts to Watch

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622

    Future of Digital Privacy and Security: 7 Truths Nobody Tells You

    May 25, 202619
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.