Novel multi-version CountLoader malware loader advances Russian ransomware

Malicious payloads, such as Cobalt Strike, AdaptixC2, and the PureHVNC RAT, have been deployed by Russian ransomware operations through three different versions of the newly emergent CountLoader malware loader, according to The Hacker News.

Most advanced of the iterations of CountLoader, which has been seen in a Ukraine-aimed attack campaign, is the JavaScript variant, which enables file downloading in half a dozen ways, malware binary execution in three different techniques, and Windows domain information-based device identification, a report from Silent Push revealed.

Other versions of the loader were based on .NET and PowerShell, with the latter previously reported by Kaspersky to have been spread via DeepSeek lures. Additional findings revealed CountLoader, which is underpinned by more than 20 unique domains, has been conducting malware staging through the impacted device's Music folder.

Such an analysis comes after multiple Russian ransomware groups were reported by DomainTools to have been using the same tools, including Quick Assist and AnyDesk, in their attacks.

"Brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains," noted DomainTools.