CountLoader malware loader used by Russian ransomware gangs for payload delivery
Malware Activity
Summary
Hide ▲
Show ▼
CountLoader is being used in active ransomware operations to deliver AdaptixC2 worldwide, with analysts linking the loader to the malware’s deployment and a DFIR case involving an Akira affiliate. A Silent Push analysis says the abuse accelerated after new detection signatures were released, and it also identified the developer alias RalfHacker as a closely watched contributor to the framework.
Related Happenings
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware Activity
First: 16.04.2026 00:57
Last: 16.04.2026 00:57
Sources 1
About this happening:
The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware ActivityAbout this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
JanelaRAT malware activity targeting Latin American banks
Malware Activity
First: 13.04.2026 20:15
Last: 13.04.2026 20:15
Sources 1
About this happening:
**JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
JanelaRAT malware activity targeting Latin American banks
Malware ActivityAbout this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
How related:
A DFIR investigation found an Akira affiliate using the tool.
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityHow related: A DFIR investigation found an Akira affiliate using the tool.
About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Timeline
-
19.12.2025 17:34 1 articles · 5mo ago
New CountLoader campaign delivers ACR Stealer
Campaign Scope UpdateA new CountLoader campaign abuses cracked software distribution sites and MediaFire ZIP archives to deliver CountLoader 3.2, using Setup.exe, mshta.exe, scheduled-task persistence, removable USB spread, and in-memory execution to install ACR Stealer on infected Windows hosts.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
-
18.09.2025 15:56 5 articles · 8mo ago
CountLoader loader used by Russian ransomware affiliates
Initial DisclosureCountLoader is a new malware loader used by Russian ransomware gangs and affiliates tied to LockBit, Black Basta, and Qilin to deliver Cobalt Strike, AdaptixC2, and PureHVNC RAT; it appears in .NET, PowerShell, and JavaScript variants, has been seen in PDF-based phishing against individuals in Ukraine impersonating the National Police of Ukraine, and includes file-download, execution, persistence, and staging features such as scheduled-task persistence, a Music folder staging location, and traffic redirection through BrowserVenom.
Show sources
- CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader — thehackernews.com — 18.09.2025 15:56
- CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader — thehackernews.com — 18.09.2025 15:56
- Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam — thehackernews.com — 26.09.2025 19:40
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
- Threat Actors Utilize AdaptixC2 for Malicious Payload Delivery — www.infosecurity-magazine.com — 30.10.2025 18:00