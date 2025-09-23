SUGGESTED SEARCHES
A glowing keyhole silhouette against a vibrant, digital backdrop of cascading binary code and colorful light effects.

A piece of malware linked to Russian ransomware groups is gaining attention for its ability to maintain access alive. Researchers at Silent Push call it CountLoader, and it comes in three versions: .NET, PowerShell, and JScript.

The most sophisticated one is the JScript-based version, which the researchers labeled as the main CountLoader implant.

CountLoader’s persistence makes it part of the growing Initial Access Brokers (IAB) market, where attackers sell access to systems rather than data or encryption keys. Silent Push has linked the malware to operations involving LockBit, BlackBasta, and Qilin, confirming its role in ransomware supply chains.

Kasey Best, Director of Threat Intelligence at Silent Push, spoke to Techopedia about how CountLoader works, the campaigns where it has been observed, and the signs security teams should be watching for.

Key Takeaways

  • CountLoader is a malware loader tied to Russian cybercriminals and linked to LockBit, BlackBasta, and Qilin.
  • It comes in .NET, PowerShell, and JScript versions, with the JScript variant showing unusual persistence patterns.
  • Early campaigns in Ukraine used phishing lures posing as police documents to spread CountLoader.
  • Silent Push researchers highlight that the loader is controlled by a small actor group likely working as Initial Access Brokers.
  • Defenders should watch for fake Google update tasks, registry edits, and unusual DNS lookups while using IOFA intelligence to pre-empt attacks.

A Loader Built to Stay Alive

Silent Push analysts see CountLoader as a malicious tool with configurations that allow it to persist long after the initial infection

The analysts observed that the JScript build is wrapped in an HTA file extension, runs to around 850 lines of code, and uses scheduled tasks disguised as Google updates, registry changes to lift execution limits, and retry loops that go through domains until a server responds.

“It is the most thorough implementation, offering six different methods for file downloading, three different methods for executing various downloadable malware binaries, and a predefined function to identify a victim’s device based on Windows domain information,” Silent Push wrote.

Best said that the level of engineering they observed signals an actor pushing past the usual limits of loader design. 

He told Techopedia:

“Whoever is behind CountLoader has turned a simple downloader script into a more sophisticated tool, which appears to now have its own C2 backend. The lengths to which the attacker goes to make sure their payloads are executed if downloaded are remarkable. A chain of six fallback methods for a single download and execute functionality is rather uncommon.”

Best noted that while many of the persistence tricks within Countloader were familiar, the intent was to build a loader with a more advanced framework.

“It is always noteworthy when a threat actor begins to push their development boundaries towards the creation of more advanced frameworks,” he said.

Tracing CountLoader From Ukraine to Global Campaigns

The earliest traces came from phishing baits in Ukraine, where malicious documents were disguised as official notices from the national police. Victims who opened the files triggered downloads of CountLoader, giving attackers a foothold on their systems. 

Silent Push researchers observed how this access was then used to stage additional tools, including Cobalt Strike beacons and Lumma Stealer, creating the conditions for follow-on attacks. Given some technical markers like a hardcoded Yandex Browser user-agent linked to these attacks, Silent Push linked CountLoader to Russian-speaking cybercriminals

Asked whether CountLoader was openly traded among threat actors, Best noted its purpose was mostly tied to a small group, saying:

“Our current theory is that CountLoader is a tool related to a single actor, or a small group of actors, who are either acting as IABs or working directly with various ransomware groups as affiliates.”

From those early phishing baits in Ukraine, CountLoader infrastructure was later found in campaigns linked to LockBit, BlackBasta, and Qilin. The pattern fits what previous reports have long noted about Initial Access Brokers, who turn system access into tradable assets that ransomware groups buy and exploit.

According to Rapid7, more than 70% of IAB listings now advertise privileged access, not just basic entry points, and all the characteristics of CountLoader make it a valuable product in that market.

What Defenders Should Be Watching For

Silent Push wants security teams to focus on the persistence and communication methods this loader relies on, which are reliable indicators of compromise. Scheduled tasks masquerading as Google updates and registry edits that alter script execution limits are among the most consistent traces.

In addition to that, Best has urged organizations to act on this intelligence before ransomware groups take the lead. 

He explained:

“Being able to pre-emptively position one’s defenses is the best step defenders can take, as it allows proactive mitigation versus the merely remedial steps supported by a reactive stance.”

Silent Push outlined several priorities for security teams, which include:

  • Watch for suspicious scheduled tasks that resemble Google update processes.
  • Check registry changes that expand execution limits for scripts.
  • Detect unusual DNS lookups, especially patterns where only small character subsets change.
  • Leverage pre-emptive intelligence, including Silent Push’s Indicators of Future Attack (IOFA) feeds.

The Bottom Line

Based on the persistence features of CountLoader observed by Silent Push, early intervention appears to be the most effective way to disrupt its role in ransomware supply chains. 

While Best confirms the loader is not being developed for mass adoption in the wider ransomware market, there appears to be a steady, reliable access that can be passed on to ransomware operators. 

Best explained that this reflects a broader move toward specialized groups filling niches in the cybercrime economy. That focus makes threats like CountLoader harder to spot. For security teams, the take-home point is to treat loaders as priority targets in their own right, not just as precursors to ransomware.

FAQs

How does CountLoader spread?

Silent Push researchers first observed it delivered through phishing lures in Ukraine, often disguised as official police documents.

Why is CountLoader important in ransomware campaigns?

It serves as the entry point for groups like LockBit, BlackBasta, and Qilin, making it part of the Initial Access Broker economy where access is traded as a commodity.

How can defenders detect CountLoader?

Indicators include fake Google update tasks, registry edits that alter script execution limits, and unusual DNS lookups. Silent Push also provides IOFA feeds to identify related infrastructure early.

References

  1. CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions (Silent Push)
  2. Initial Access Brokers Are Key to Rise in Ransomware Attacks (Recorded Future)
  3. Rapid7 Access Brokers Report: New Research Reveals Depth of Compromise in Access Broker Deals, with 71% Offering Privileged Access (Rapid7)

Related Reading

Related Terms

Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. Apart from Techopedia, his writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock, and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.

