CountLoader and GachiLoader Campaigns Abuse Cracked Software
🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.
