CountLoader and GachiLoader Malware Campaigns via Cracked Software and YouTube

First reported

19.12.2025 17:34

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Cybersecurity researchers have identified two distinct malware campaigns involving CountLoader and GachiLoader. CountLoader is distributed through cracked software downloads and employs a multi-stage attack to deliver additional malware, including ACR Stealer. GachiLoader, distributed via compromised YouTube accounts, uses advanced techniques to deploy payloads like Rhadamanthys information stealer. Both campaigns highlight the evolving sophistication of malware distribution and evasion techniques.

Timeline

19.12.2025 17:34 1 articles · 2h ago

CountLoader and GachiLoader Malware Campaigns Disclosed
Cybersecurity researchers have disclosed details of two distinct malware campaigns involving CountLoader and GachiLoader. CountLoader is distributed through cracked software downloads and employs a multi-stage attack to deliver additional malware, including ACR Stealer. GachiLoader, distributed via compromised YouTube accounts, uses advanced techniques to deploy payloads like Rhadamanthys information stealer. Both campaigns highlight the evolving sophistication of malware distribution and evasion techniques.
Show sources

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
Open in new tab

Information Snippets

CountLoader is a modular and stealthy loader used in multi-stage attacks for access, evasion, and delivery of additional malware.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
CountLoader has been detected in the wild since at least June 2025 and can push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
The latest CountLoader campaign begins with users downloading cracked software, leading to a malicious ZIP archive and a Microsoft Word document with a password.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
CountLoader 3.2 is retrieved from a remote server using 'mshta.exe' and establishes persistence by creating a scheduled task mimicking Google.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
CountLoader checks for CrowdStrike's Falcon security tool and adjusts its persistence command accordingly.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
CountLoader can profile the compromised host, fetch next-stage payloads, and spread via removable USB drives.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
The final payload deployed by CountLoader in this campaign is ACR Stealer, which harvests sensitive data from infected hosts.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
GachiLoader is a heavily obfuscated JavaScript malware loader written in Node.js, distributed via compromised YouTube accounts.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
GachiLoader deploys a second-stage malware, Kidkadi, which implements a novel technique for Portable Executable (PE) injection.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
GachiLoader has been distributed through approximately 100 YouTube videos, amassing around 220,000 views, uploaded from 39 compromised accounts.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
GachiLoader serves as a conduit for the Rhadamanthys information stealer malware and performs anti-analysis checks to evade detection.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
GachiLoader attempts to kill 'SecHealthUI.exe' and configures Microsoft Defender exclusions to avoid detection.
First reported: 19.12.2025 17:34

1 source, 1 article
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34

Summary

Timeline

CountLoader and GachiLoader Malware Campaigns Disclosed

Information Snippets