Cybersecurity researchers have uncovered a new malware campaign abusing cracked software distribution sites to deploy CountLoader, a modular and stealthy loader designed to deliver follow-on malware.

The campaign relies on social engineering, trusted platforms, and native Windows tools to evade detection while establishing long-term persistence.

Once installed, CountLoader profiles infected systems and selectively deploys secondary payloads, including information stealers, highlighting the continued risk posed by pirated software ecosystems.

Cracked software remains a high-risk infection vector, particularly for users seeking pirated versions of popular applications.

Threat actors increasingly leverage this ecosystem to distribute loaders that act as flexible delivery mechanisms rather than single-purpose malware.

CountLoader, first observed earlier this year, has been repeatedly updated to improve stealth, persistence, and payload delivery.

According to researchers from Cyderes, the latest campaign begins when users attempt to download cracked versions of legitimate software such as Microsoft Word.

Victims are redirected to a MediaFire download containing a password-protected archive.

Inside the archive is a renamed, legitimate Python interpreter configured to retrieve CountLoader version 3.2 from a remote server, initiating a multi-stage infection chain.

CountLoader abuses trusted Windows utilities to remain file-light and evade security controls.

The loader executes via mshta.exe, establishes persistence through a scheduled task masquerading as a Google system component, and is configured to run every 30 minutes for up to a decade.

The malware checks for the presence of CrowdStrike Falcon and modifies its execution method accordingly to reduce detection risk.

Newer versions add USB propagation via malicious shortcuts, in-memory PowerShell execution, and support for deploying EXE, DLL, MSI, and ZIP-based payloads.

In observed attacks, CountLoader ultimately delivered ACR Stealer, a credential and data theft malware.

Previous investigations by Fortinet and Silent Push have linked CountLoader to payloads such as Cobalt Strike, remote access trojans, and cryptominers.

The loader’s modular design allows attackers to adapt payloads based on victim value, increasing long-term risk.

This campaign underscores how signed binaries, living-off-the-land techniques, and pirated software combine to create highly effective infection chains.

Users may unknowingly bypass organizational defenses, while defenders face malware that blends into normal system activity.

The approach reflects a broader shift toward loaders optimized for flexibility, persistence, and stealth rather than immediate impact.

Cyderes researchers note that CountLoader’s evolution highlights a growing reliance on fileless execution and trusted system components.

These techniques reduce traditional antivirus effectiveness and require behavioral detection and layered controls to identify early-stage compromise.