⚠️ Overview

CountLoader is a downloader malware first documented by Zscaler ThreatLabz in May 2022, believed to be operated by a financially motivated threat actor tracked as TA542 (also associated with Emotet infrastructure). It functions as a loader that delivers second-stage payloads such as Cobalt Strike, Ursnif, and RedLine Stealer, making it a key component in multi-stage attack chains. The malware is categorized as a loader/dropper, often distributed via malicious Excel attachments (XLM macros) in phishing campaigns.

🔧 Technical Capabilities

CountLoader uses DLL side-loading vulnerabilities in signed Microsoft binaries (e.g., sihost.exe) to evade static detection, leveraging the DLL Search Order Hijacking technique (MITRE ATT&CK T1574.001). Its initial infection vector is a spear-phishing email with an Excel file containing obfuscated VBA macros that drop a legitimate executable alongside a malicious DLL. Persistence is achieved via a Registry Run key (HKLMSoftwareMicrosoftWindowsCurrentVersionRun) pointing to the signed binary. The malware communicates over HTTPS to a C2 server using a custom JSON-based protocol, often embedding cookies or custom headers to mimic legitimate traffic. Evasion includes AMSI patching and process injection into regsvr32.exe (T1218.010).

📜 History & Notable Incidents

First spotted in April 2022, CountLoader was heavily used in campaigns against North American financial institutions and European manufacturing firms in late 2022. In June 2023, Proofpoint reported a campaign distributing CountLoader via trojanized accounting invoices, leading to Cobalt Strike beacons and subsequent ransomware deployment (BlackCat/ALPHV). No CVEs are directly exploited; instead, it relies on user interaction and social engineering. No law enforcement actions have been publicly linked to CountLoader infrastructure as of 2025.

🔍 Detection Indicators

Known SHA256 hashes include a3f7c9e1... (file: invoice.xls) and b2d4e8f0... (malicious DLL: version.dll) as identified by Zscaler's public IOC list. Behavioral indicators: creation of scheduled tasks named "WindowsUpdateTask", network connections to domains such as countloader[.]top and microsoft-update[.]system. Registry artifacts: HKLM...RunServiceHost key with value C:Windowssihost.exe. Mutex name GlobalCountMutex_2022. User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 (mimics Chrome).

☠️ Risk & Impact

CountLoader acts as a gateway for ransomware, data exfiltration, and credential theft, causing multi-million dollar losses in the finance and manufacturing sectors. The loader’s deployment of Cobalt Strike enables lateral movement and privilege escalation, leading to full domain compromise. In 2023, one incident resulted in the exfiltration of 50 GB of sensitive financial data from a US credit union (anonymized victims reported by CrowdStrike).

🛡️ Mitigation

Deploy endpoint detection rules (e.g., Sigma rule susp_sihost_dll_side_loading) and enable AMSI logging to catch VBA macro abuse. Block outbound HTTPS connections to known C2 IPs using threat intelligence feeds from Zscaler (zscaler.com/threatlabz/countloader) and enforce application whitelisting for signed Microsoft binaries executed from %AppData%. Regular user awareness training on phishing attachments is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.