CountLoader is a newly identified malware loader associated with Russian ransomware groups, notably linked to affiliates of LockBit, BlackBasta, and Qilin ransomware operations. It is distributed in three distinct versions: .NET, PowerShell, and JScript, allowing it to adapt to different target environments and evade detection. The loader is primarily used as an initial access tool, either by Initial Access Brokers (IABs) or ransomware affiliates, to establish footholds in victim networks. CountLoader has been observed in phishing campaigns targeting Ukrainian citizens, masquerading as official Ukrainian police communications to increase the likelihood of user interaction and infection. Once executed, CountLoader attempts to connect to multiple command and control (C2) servers to download and execute additional malicious payloads, including CobaltStrike and AdaptixC2, which are known for their capabilities in post-exploitation, lateral movement, and persistence. The loader incorporates advanced evasion techniques such as obfuscation, use of multiple download methods, and system information gathering to tailor its payload delivery and maintain persistence. It also employs various persistence mechanisms consistent with MITRE ATT&CK techniques like scheduled tasks (T1053.005) and registry run keys (T1547.001). The malware’s multi-language implementation (.NET, PowerShell, JScript) increases its versatility and complicates detection by traditional antivirus and endpoint detection systems. Although no known exploits are currently reported in the wild, the threat’s association with high-profile ransomware groups and its use in targeted phishing campaigns underscore its potential for significant operational impact.

For European organizations, CountLoader represents a significant risk primarily due to its role as an initial access vector for ransomware and other advanced persistent threats. The loader’s ability to deliver sophisticated payloads like CobaltStrike can facilitate extensive network compromise, data exfiltration, and ransomware deployment, leading to operational disruption, financial losses, and reputational damage. European entities with critical infrastructure, government agencies, and private sector companies involved in sectors such as finance, healthcare, and manufacturing are particularly vulnerable given the strategic targeting patterns of Russian ransomware groups. The phishing campaign targeting Ukrainian citizens also suggests a potential for spillover attacks or collateral damage affecting European organizations with ties to Ukraine or those hosting Ukrainian diaspora communities. Additionally, the loader’s evasion techniques may reduce the effectiveness of conventional security controls, increasing the likelihood of successful compromise and prolonged dwell time within networks.

To mitigate the threat posed by CountLoader, European organizations should implement a multi-layered defense strategy tailored to the loader’s characteristics. Specific recommendations include: 1) Enhancing email security by deploying advanced phishing detection solutions that analyze sender reputation, email content, and attachment behavior to block malicious phishing attempts impersonating trusted entities such as law enforcement. 2) Implementing strict application control policies to restrict execution of unauthorized .NET, PowerShell, and JScript scripts, including the use of PowerShell Constrained Language Mode and script block logging to detect suspicious activity. 3) Monitoring network traffic for anomalous connections to known or suspicious C2 infrastructure, leveraging threat intelligence feeds that include indicators related to CountLoader and associated malware. 4) Employing endpoint detection and response (EDR) solutions capable of identifying behaviors consistent with loader activity, such as unusual process spawning, persistence mechanism creation, and system information gathering. 5) Conducting regular user awareness training focused on recognizing phishing tactics, especially those exploiting current geopolitical events. 6) Maintaining up-to-date backups and ensuring rapid incident response capabilities to contain and remediate infections promptly. 7) Utilizing threat hunting exercises to proactively search for signs of CountLoader or its payloads within the environment, particularly in high-risk sectors.