Home > Security > Security News

New CountLoader Malware Linked to Major Ransomware Gangs LockBit, BlackBasta, and Qilin

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Ransomware - Laptop - PDF

Security researchers have discovered a new malware loader, dubbed "CountLoader," which is strongly associated with prominent Russian ransomware groups. The loader, which has been observed in three distinct versions—.NET, PowerShell, and JScript—is being leveraged as an Initial Access Broker (IAB) in high-stakes ransomware attacks.

CountLoader Malware Analysis

CountLoader is an evolving threat designed to deploy secondary payloads, making it a crucial component in the attack chain. Silent Push analysis reveals the malware is apparently used by major ransomware groups, including LockBit, Black Basta, and Qilin, to gain initial entry into target networks. 

Its different versions exhibit varying levels of sophistication. The JScript variant is the most complex, featuring six different methods for downloading files and functionality to collect detailed system information from victims.

Screenshot of the PDF lure impersonating the Ukrainian police
Screenshot of the PDF lure impersonating the Ukrainian police | Source: SilentPush

A recent campaign utilizing CountLoader involved a PDF-based phishing lure impersonating the Ukrainian police to target individuals in Ukraine. This strengthens the suspected ties to Russian-speaking threat actors. 

The loader's command and control (C2) communication pattern is unique, and its code includes advanced features like multi-layered download attempts using LOLBins such as "certutil" and "bitsadmin."

Role in Ransomware Attacks

The connection to ransomware operations is a critical piece of cybersecurity threat intelligence. By analyzing Cobalt Strike samples delivered by CountLoader, researchers linked the malware's C2 infrastructure to watermarks previously associated with BlackBasta and Qilin ransomware incidents. 

The loader frequently stages its payloads in the victim's "Music" folder, a TTP that aligns with past LockBit campaigns. 

The discovery of CountLoader provides defenders with new indicators to hunt for, as it signifies the initial stage of potentially devastating ransomware attacks. Organizations are urged to review security logs for signs of this new threat.

Add a Comment
Related
Woman - Shopper - Retail - Facial Recognition - Camera
Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
Alarm - Security Alert - Laptop
After-Hours Cyber Threats Rise, Arctic Wolf 2025 Report Says
Newspaper - Map - Handwriting
CopyCop Expands Russian Disinformation Campaigns with 300 New Fake Websites in 2025
Cracked Wi-Fi - Laptop - Employee
Decade-Old Pixie Dust Exploit Risk Persists in Modern Wireless Firmware, Report Says
Crowdstrike - NPM - Malware
Multiple CrowdStrike npm Packages Targeted in Supply Chain Attack as Attack Surface Expands
Hacker - Jail
From Teen Hacker to Inmate: U.S. Court Resentences BreachForums Founder to Three Years Behind Bars
Most Popular
Woman - Shopper - Retail - Facial Recognition - Camera
Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
Alarm - Security Alert - Laptop
After-Hours Cyber Threats Rise, Arctic Wolf 2025 Report Says
Newspaper - Map - Handwriting
CopyCop Expands Russian Disinformation Campaigns with 300 New Fake Websites in 2025
Michigan Bill Proposes Ban on Adult Content and VPNs
Michigan Bill Proposes Ban on Adult Content and VPNs
Age Verification Laws Are Splintering the US Internet
Age Verification Laws Are Splintering the US Internet
Italy Drops to 11th in National Privacy Test 2025
National Privacy Test 2025: What Italians Get Right (and Wrong) About Online Security
Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
After-Hours Cyber Threats Rise, Arctic Wolf 2025 Report Says
CopyCop Expands Russian Disinformation Campaigns with 300 New Fake Websites in 2025
Michigan Bill Proposes Ban on Adult Content and VPNs
Age Verification Laws Are Splintering the US Internet
National Privacy Test 2025: What Italians Get Right (and Wrong) About Online Security

Most Popular
Woman - Shopper - Retail - Facial Recognition - Camera
Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
Alarm - Security Alert - Laptop
After-Hours Cyber Threats Rise, Arctic Wolf 2025 Report Says
Newspaper - Map - Handwriting
CopyCop Expands Russian Disinformation Campaigns with 300 New Fake Websites in 2025
Michigan Bill Proposes Ban on Adult Content and VPNs
Michigan Bill Proposes Ban on Adult Content and VPNs
Age Verification Laws Are Splintering the US Internet
Age Verification Laws Are Splintering the US Internet
Italy Drops to 11th in National Privacy Test 2025
National Privacy Test 2025: What Italians Get Right (and Wrong) About Online Security
Kmart Australia Found in Breach of Privacy Laws with Facial Recognition in Stores
After-Hours Cyber Threats Rise, Arctic Wolf 2025 Report Says
CopyCop Expands Russian Disinformation Campaigns with 300 New Fake Websites in 2025
Michigan Bill Proposes Ban on Adult Content and VPNs
Age Verification Laws Are Splintering the US Internet
National Privacy Test 2025: What Italians Get Right (and Wrong) About Online Security

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: