{"id":228848,"date":"2026-05-13T03:00:36","date_gmt":"2026-05-13T10:00:36","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=228848"},"modified":"2026-05-07T12:12:08","modified_gmt":"2026-05-07T19:12:08","slug":"sinkholing-countloader-insights-into-its-recent-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/","title":{"rendered":"Sinkholing CountLoader: Insights into Its Recent Campaign"},"content":{"rendered":"<p style=\"text-align: center;\"><em><span class=\"TextRun SCXW45847568 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW45847568 BCX0\">Authored\u00a0<\/span><span class=\"NormalTextRun SCXW45847568 BCX0\">by Harshil Patel and\u00a0<\/span><span class=\"NormalTextRun SCXW45847568 BCX0\">Sakshi<\/span><span class=\"NormalTextRun SCXW45847568 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW45847568 BCX0\">Jaiswal<\/span><\/span><span class=\"EOP SCXW45847568 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/em><\/p>\n<p><span class=\"TextRun SCXW73440875 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW73440875 BCX0\">McAfee Labs has recently uncovered a large scale\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW73440875 BCX0\">CountLoader<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and\u00a0<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">maintain<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0persistence\u00a0<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">in<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers\u00a0<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">employ<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0a custom encrypted communication protocol to interact with their C2 servers. By registering a backup domain used by the malware, we were able to sinkhole the traffic and\u00a0<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">observe<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0thousands of infected machines connecting to the<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0C2<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0infrastructure.<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0F<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">inal payload deployed in this campaign is a cryptocurrency clipper, which\u00a0<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">monitors<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0clipboard activity and replaces copied wallet addresses with\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW73440875 BCX0\">attacker controlled<\/span><span class=\"NormalTextRun SCXW73440875 BCX0\">\u00a0ones to redirect cryptocurrency transactions.<\/span><\/span><span class=\"EOP SCXW73440875 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">Sinkholing<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Sinkholing\u00a0is a defensive technique in which researchers take control of malicious domains or infrastructure used by malware. Instead of allowing infected systems to communicate with attacker controlled C2 servers, the traffic is redirected to a\u00a0researcher controlled\u00a0server.\u00a0This approach enables researchers to\u00a0monitor\u00a0infected hosts, collect telemetry,\u00a0measure\u00a0the\u00a0scale\u00a0and spread of a campaign.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">Key\u00a0Findings<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<ul>\n<li><span data-contrast=\"auto\">McAfee researchers\u00a0identified\u00a0a large-scale\u00a0CountLoader\u00a0campaign using multi-stage payload delivery and heavy obfuscation techniques.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Researchers successfully\u00a0sinkholed\u00a0malware communication\u00a0using\u00a0a backup C2 domain, enabling visibility into the campaign\u2019s infrastructure and infected hosts.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The sinkhole received approximately 5,000 connections per minute from infected systems.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Telemetry collected during the investigation revealed around 86,000 unique infected machines.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The\u00a0malware\u00a0also spreads through USB drives, with approximately 9,000 infections attributed to removable media.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The final payload deployed in this campaign is\u00a0cryptocurrency\u00a0clipper malware that hijacks clipboard data to redirect cryptocurrency transactions.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">C2\u00a0Sinkholing\u00a0and\u00a0Geographical Prevalence\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">As the malware contacts the C2 servers in the reverse order and only hell1-kitty[.]cc was used by attackers, we were able to register hell10-kitty[.]cc\u00a0and\u00a0were able to gain insights into the campaign.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_228851\" aria-describedby=\"caption-attachment-228851\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-228851\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM-1024x539.png\" alt=\"Figure 3 : Sinkholing malware communication \" width=\"1024\" height=\"539\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM-1024x539.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM-300x158.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM-768x404.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM-205x108.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.22.18-AM.png 1356w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-228851\" class=\"wp-caption-text\"><em>Figure 1: Sinkholing malware communication<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">On average, around 5,000 infected clients\u00a0contacted\u00a0our server every minute.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In total, we\u00a0observed\u00a0approximately 86,000\u00a0unique infections.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Telemetry collected revealed that this\u00a0CountLoader\u00a0campaign has a broad global footprint. The highest number of infections were\u00a0observed\u00a0in India, followed by Indonesia, the United States, and several countries across Southeast Asia.\u00a0<\/span><\/p>\n<figure id=\"attachment_228866\" aria-describedby=\"caption-attachment-228866\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" id=\"longdesc-return-228866\" class=\"size-large wp-image-228866\" tabindex=\"-1\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM-1024x685.png\" alt=\"Figure 2 : Global distribution of CountLoader infections. \" width=\"1024\" height=\"685\" longdesc=\"https:\/\/www.mcafee.com\/blogs?longdesc=228866&amp;referrer=228848\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM-1024x685.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM-300x201.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM-768x514.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM-193x129.png 193w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.26.06-AM.png 1372w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-228866\" class=\"wp-caption-text\"><em>Figure 2: Global distribution of CountLoader infections.<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">CountLoader\u00a0is a multistage malware loader that uses obfuscated JavaScript and trusted Windows utilities to deliver\u00a0additional\u00a0payloads. It ensures persistence via scheduled tasks and uses multiple fallback C2\u00a0domains\u00a0to\u00a0maintain\u00a0reliability.\u00a0Malware\u00a0employs in-memory execution\u00a0and security bypass techniques to evade detection.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In recent campaigns, it has been\u00a0observed\u00a0deploying cryptocurrency clipper malware to silently hijack transactions.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">McAfee Researchers\u00a0identified\u00a0a flaw in its\u00a0communication\u00a0mechanism\u00a0and were able to\u00a0exploit it to gain insights\u00a0into the campaign.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">Technical Analysis<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The following diagram illustrates the complete infection chain used in this\u00a0CountLoader\u00a0campaign, from the\u00a0initial\u00a0execution to the deployment of the final payload.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_228882\" aria-describedby=\"caption-attachment-228882\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" id=\"longdesc-return-228882\" class=\"size-large wp-image-228882\" tabindex=\"-1\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM-1024x543.png\" alt=\"Figure 3 : Infection Chain \" width=\"1024\" height=\"543\" longdesc=\"https:\/\/www.mcafee.com\/blogs?longdesc=228882&amp;referrer=228848\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM-1024x543.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM-300x159.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM-768x407.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM-205x109.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.32.05-AM.png 1396w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-228882\" class=\"wp-caption-text\"><em>Figure 3: Infection Chain<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">The infection begins when an EXE file is executed. This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as\u00a0CountLoader. The loader is executed using\u00a0mshta.exe,\u00a0a legitimate Windows utility often abused by malware to run scripts.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Once executed,\u00a0it\u00a0performs several tasks:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li aria-setsize=\"-1\" data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Establishes\u00a0persistence<\/span><\/b><span data-contrast=\"auto\">\u00a0by creating a scheduled task that runs every 30 minutes.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-setsize=\"-1\" data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Contacts multiple C2 servers<\/span><\/b><span data-contrast=\"auto\">, trying them in reverse order until a connection is successful.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-setsize=\"-1\" data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Attempts to spread via USB drives<\/span><\/b><span data-contrast=\"auto\">\u00a0by replacing files with malicious LNK shortcuts that execute the malware when opened.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-setsize=\"-1\" data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"4\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Wait for the\u00a0C2 server\u00a0to\u00a0issue commands<\/span><\/b><span data-contrast=\"auto\">\u00a0to download and execute payloads.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">The payload execution chain consists of several stages:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Launcher:\u00a0<\/span><\/b><span data-contrast=\"auto\">A secondary JavaScript component creates another scheduled task that runs every 60 minutes, ensuring long term persistence.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">PowerShell Packer<\/span><\/b><span data-contrast=\"auto\">:\u00a0The launcher executes an obfuscated PowerShell script that acts as a packer. This script\u00a0decrypts\u00a0and\u00a0launches\u00a0the next stage.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Injector<\/span><\/b><span data-contrast=\"auto\">:\u00a0The next PowerShell stage disables security mechanisms such as AMSI and injects shellcode into a legitimate process.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Shellcode Execution<\/span><\/b><span data-contrast=\"auto\">:\u00a0The injected shellcode unpacks the final payload directly in memory.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Final Payload<\/span><\/b><span data-contrast=\"auto\">:\u00a0The final payload is executed under the process systeminfo.exe. In this campaign, the deployed payload was identified as a cryptocurrency clipper malware, which\u00a0monitors\u00a0clipboard activity and replaces copied cryptocurrency wallet addresses with\u00a0attacker\u00a0controlled\u00a0addresses.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3><span class=\"TextRun SCXW7993374 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW7993374 BCX0\" data-ccp-parastyle=\"heading 2\">Stage 1<\/span><span class=\"NormalTextRun SCXW7993374 BCX0\" data-ccp-parastyle=\"heading 2\">&#8211;<\/span><span class=\"NormalTextRun SCXW7993374 BCX0\" data-ccp-parastyle=\"heading 2\">\u00a0<\/span><span class=\"NormalTextRun SCXW7993374 BCX0\" data-ccp-parastyle=\"heading 2\">Exe<\/span><\/span><span class=\"EOP SCXW7993374 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span class=\"TextRun SCXW153249301 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW153249301 BCX0\">The infection chain begins with the execution of a malicious EXE\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW153249301 BCX0\">file,<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">\u00a0it\u00a0<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">immediately<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">runs a<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">Power<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">S<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">hell<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">one-liner<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\"> as shown in the below image<\/span><span class=\"NormalTextRun SCXW153249301 BCX0\">.<\/span><\/span><span class=\"EOP SCXW153249301 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228897\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM-1024x109.png\" alt=\"Example of the execution chain\" width=\"1024\" height=\"109\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM-1024x109.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM-300x32.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM-768x82.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM-205x22.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.34.09-AM.png 1298w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3 aria-level=\"2\"><span data-contrast=\"none\">Stage 2\u00a0&#8211;\u00a0PowerShell<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The PowerShell script fetched from the URL decodes a Base64-encoded string and executes the resulting content. It also employs an unusual obfuscation technique, where the variable names are crafted to resemble the highlighted pattern, making the script harder to read and analyze.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228912\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM-1024x82.png\" alt=\"Power Shell\" width=\"1024\" height=\"82\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM-1024x82.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM-300x24.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM-768x61.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM-205x16.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.35.30-AM.png 1300w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"TextRun SCXW104128697 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW104128697 BCX0\">Multiple<\/span><span class=\"NormalTextRun SCXW104128697 BCX0\">\u00a0such variables are used to create<\/span><span class=\"NormalTextRun SCXW104128697 BCX0\">\u00a0a<\/span><span class=\"NormalTextRun SCXW104128697 BCX0\">\u00a0complete base64 string which is then decoded and executed through Invoke-Expression.<\/span><\/span><span class=\"EOP SCXW104128697 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228928\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM-1024x120.png\" alt=\"Payload 2\" width=\"1024\" height=\"120\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM-1024x120.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM-300x35.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM-768x90.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM-205x24.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.37.54-AM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3 aria-level=\"2\"><span data-contrast=\"none\">Stage 3\u00a0&#8211;\u00a0CountLoader<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The file is a\u00a0HTA file with\u00a0JavaScript\u00a0that\u00a0uses string obfuscation\u00a0technique\u00a0to evade detection.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228943\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM-1024x294.png\" alt=\"Countloader\" width=\"1024\" height=\"294\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM-1024x294.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM-300x86.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM-768x221.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM-205x59.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.38.49-AM.png 1308w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span data-contrast=\"auto\">It starts by hiding the\u00a0mshta\u00a0window\u00a0to ensure that the malicious activity runs silently in the background without alerting the user<\/span><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The script then\u00a0attempts\u00a0to delete its own file in case it was executed locally. If the script\u00a0determines\u00a0that it is not being executed from a URL, it\u00a0terminates\u00a0immediately.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228958\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM-1024x130.png\" alt=\"Countlaoder 2\" width=\"1024\" height=\"130\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM-1024x130.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM-300x38.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM-768x98.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM-205x26.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.39.33-AM.png 1274w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"NormalTextRun SCXW154541537 BCX0\">Then <\/span><span class=\"NormalTextRun SCXW154541537 BCX0\">the script<\/span><span class=\"NormalTextRun SCXW154541537 BCX0\">\u00a0tries to contact C2 servers<\/span><span class=\"NormalTextRun SCXW154541537 BCX0\">,\u00a0<\/span><span class=\"NormalTextRun SCXW154541537 BCX0\">iterating through the list in reverse order.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-228973\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM-1024x176.png\" alt=\"Countloader 3\" width=\"1024\" height=\"176\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM-1024x176.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM-300x52.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM-768x132.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM-205x35.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.40.41-AM.png 1288w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<figure id=\"attachment_228988\" aria-describedby=\"caption-attachment-228988\" style=\"width: 890px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-228988\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.42.14-AM.png\" alt=\"Figure 4: C2 communication protocol. \" width=\"890\" height=\"730\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.42.14-AM.png 890w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.42.14-AM-300x246.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.42.14-AM-768x630.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.42.14-AM-157x129.png 157w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><figcaption id=\"caption-attachment-228988\" class=\"wp-caption-text\"><em>Figure 4: C2 communication protocol.<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">A handshake process is performed to verify connectivity with the server. The client sends an encrypted\u00a0\u201ccheckStatus\u201d\u00a0message, and the server responds with an encrypted\u00a0\u201csuccess\u201d\u00a0message if the connection is valid<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">All communications between the client and the server are encrypted, with slightly different encryption schemes used for each direction:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ol>\n<li><span data-contrast=\"auto\">Client\u00a0to\u00a0Server:\u00a0\u00a0text\u00a0\u2192\u00a0(key+(base64encode(utf16le(xor(text,\u00a0key)))))<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Server\u00a0to\u00a0Client:\u00a0\u00a0text\u00a0\u2192\u00a0(key+(base64encode(xor(text,\u00a0key))))<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">The key is a randomly generated\u00a0six\u00a0digit\u00a0number\u00a0created for each message.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229004\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM-1024x247.png\" alt=\"The key is a randomly generated six digit number created for each message. \" width=\"1024\" height=\"247\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM-1024x247.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM-300x72.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM-768x185.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM-205x49.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.43.44-AM.png 1286w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><span data-contrast=\"auto\">If the handshake is successful, the corresponding domain is selected as the active C2 server, which is used for all subsequent communications.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To\u00a0maintain\u00a0persistence on the infected system, the malware creates a scheduled task if one does not already exist.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229019\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM-1024x249.png\" alt=\"To maintain persistence on the infected system, the malware creates a scheduled task if one does not already exist. \" width=\"1024\" height=\"249\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM-1024x249.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM-300x73.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM-768x187.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM-205x50.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.44.46-AM.png 1292w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span data-contrast=\"auto\">The\u00a0scheduled task\u00a0command\u00a0line\u00a0is\u00a0slightly\u00a0different\u00a0if it detects\u00a0CrowdStrike or\u00a0Reason AV\u00a0installed on the system,\u00a0likely as\u00a0an attempt to evade detection\u00a0from these AVs.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">After\u00a0establishing\u00a0persistence, the malware\u00a0gets\u00a0a JWT token from the C2 server, which is used to authenticate\u00a0further requests.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229034\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM-1024x63.png\" alt=\"The get_jwt_token function sends system information about the infected host to the server.\" width=\"1024\" height=\"63\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM-1024x63.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM-300x19.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM-768x48.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM-205x13.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.45.36-AM.png 1258w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"NormalTextRun SCXW265391772 BCX0\">The\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW265391772 BCX0\">get_jwt_token<\/span><span class=\"NormalTextRun SCXW265391772 BCX0\">\u00a0function sends system information about the infected host to the server<\/span><span class=\"NormalTextRun SCXW265391772 BCX0\">.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229049\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM-1024x549.png\" alt=\"This includes details related to cryptocurrency usage, such as installed wallets and browser extensions, allowing the attackers to determine whether the victim is likely involved with cryptocurrency. \" width=\"1024\" height=\"549\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM-1024x549.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM-300x161.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM-768x412.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM-205x110.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.46.15-AM.png 1164w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span data-contrast=\"auto\">This includes details related to cryptocurrency usage, such as installed wallets and browser extensions, allowing the attackers to\u00a0determine\u00a0whether the victim is\u00a0likely involved\u00a0with cryptocurrency.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Finally, the malware\u00a0gets\u00a0commands from the C2 server, which\u00a0is\u00a0then executed on the compromised system.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229064\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM-1024x304.png\" alt=\"command from the C2 server\" width=\"1024\" height=\"304\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM-1024x304.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM-300x89.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM-768x228.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM-205x61.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.48.44-AM.png 1272w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span data-contrast=\"auto\">Each command\u00a0contains\u00a0a\u00a0taskType\u00a0value that\u00a0determines\u00a0the action to be performed on the infected system.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The table below shows the command codes and their actions.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<table style=\"font-weight: 400; height: 556px;\" width=\"476\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"10\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Code\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Command<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">1<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute exe file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">2<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute python file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">3<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute\u00a0dll\u00a0file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">4<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">uninstall itself<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">5<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">send domain info to C2<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">6<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute\u00a0msi\u00a0file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">9<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">spread by infecting\u00a0usb\u00a0files<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"9\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">10<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute HTA file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"10\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">11<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">execute\u00a0powershell\u00a0file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"TextRun SCXW208944693 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW208944693 BCX0\">We\u00a0<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">observ<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">ed<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">\u00a0two\u00a0<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">commands\u00a0<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">from the above list\u00a0<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">being sent to the malware<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW208944693 BCX0\">as highlighted below:<\/span><\/span><span class=\"EOP SCXW208944693 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3><span class=\"TextRun SCXW48896901 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW48896901 BCX0\" data-ccp-parastyle=\"heading 3\">Spreading via USB drives<\/span><span class=\"NormalTextRun SCXW48896901 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0(<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW48896901 BCX0\" data-ccp-parastyle=\"heading 3\">taskType<\/span><span class=\"NormalTextRun SCXW48896901 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0\u2013 9)<\/span><\/span><span class=\"EOP SCXW48896901 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">When instructed by the C2 server to\u00a0spread\u00a0via USB drives, the malware replaces certain file types on all connected external drives with LNK shortcut files. These shortcuts are crafted so that when a user opens them, the malware executes while simultaneously opening the original file to avoid suspicion.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Targeted file types\u00a0are\u00a0 exe\u00a0,\u00a0pdf ,\u00a0doc and docx.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The build ID of the malware is appended with \u201c_usb\u201d.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229080\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM-1024x489.png\" alt=\"The build ID of the malware is appended with \u201c_usb\u201d. \" width=\"1024\" height=\"489\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM-1024x489.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM-300x143.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM-768x367.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM-205x98.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.50.36-AM.png 1278w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3><span class=\"TextRun SCXW15241403 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">Deploying payload<\/span><span class=\"NormalTextRun SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0using\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">powershell<\/span><span class=\"NormalTextRun SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0(<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">taskType<\/span><span class=\"NormalTextRun SCXW15241403 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0\u2013 11)<\/span><\/span><span class=\"EOP SCXW15241403 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The\u00a0CountLoader\u00a0is capable of running\u00a0many types of executable files,\u00a0In\u00a0this campaign, it deploys a separate execution chain that\u00a0ultimately leads\u00a0to\u00a0a clipper\u00a0malware.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">CountLoader\u00a0launches the next stage using\u00a0the following command line:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229095\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM-1024x92.png\" alt=\"CountLoader launches the next stage using the following command line: \" width=\"1024\" height=\"92\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM-1024x92.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM-300x27.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM-768x69.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM-205x18.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.51.49-AM.png 1294w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><strong><i>Payload Launcher<\/i>\u00a0<\/strong><\/p>\n<p><span data-contrast=\"auto\">The Payload Launcher is\u00a0very similar\u00a0to\u00a0CountLoader\u00a0in terms of both functionality and obfuscation techniques.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">However, unlike\u00a0CountLoader, which retrieves tasks from the C2 server, the launcher\u00a0contains\u00a0hard-coded task information.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229110\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM-1024x248.png\" alt=\"For persistence, it creates a scheduled task which executes &quot;mshata.exe {domain}\/{name}&quot; every 60 minutes. \" width=\"1024\" height=\"248\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM-1024x248.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM-300x73.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM-768x186.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM-205x50.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.52.39-AM.png 1288w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"TextRun SCXW106900140 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW106900140 BCX0\">For persistence, it creates a scheduled task wh<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">ich\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW106900140 BCX0\">executes\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW106900140 BCX0\">\u00a0&#8220;<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">mshata.exe\u00a0<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">{<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">domain<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">}<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">\/<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">{<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">name<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">}<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">&#8220;<\/span><span class=\"NormalTextRun SCXW106900140 BCX0\">\u00a0every 60 minutes.<\/span><\/span><span class=\"EOP SCXW106900140 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<div class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-image-missing-alt aligncenter wp-image-229125 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM-1024x97.png\" alt=\"For persistence, it creates a scheduled task which\u00a0executes\u00a0\u00a0&quot;mshata.exe\u00a0{domain}\/{name}&quot;\u00a0every 60 minutes.\u00a0\" width=\"1024\" height=\"97\" data-warning=\"Missing alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM-1024x97.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM-300x29.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM-768x73.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM-205x20.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.53.09-AM.png 1282w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div>\n<p><span data-contrast=\"auto\">In the task configuration:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">&#8220;url&#8221; specifies the\u00a0url\u00a0of the payload.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">&#8220;taskType&#8221; is set to 11,\u00a0indicating\u00a0that the payload should be executed as a PowerShell script.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229140\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM-1024x85.png\" alt=\"&quot;taskType&quot; is set to 11, indicating that the payload should be executed as a PowerShell script. \" width=\"1024\" height=\"85\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM-1024x85.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM-300x25.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM-768x64.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM-205x17.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.04-AM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h4 aria-level=\"4\"><i><span data-contrast=\"none\">Powershell\u00a0Packer<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h4>\n<p><span data-contrast=\"auto\">The\u00a0PowerShell script executed by the launcher acts as a simple packer. It is obfuscated using the same obfuscation technique mentioned earlier. Its primary function is to decrypt and execute another PowerShell script.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229155\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM-1024x422.png\" alt=\"Powershell Packer \" width=\"1024\" height=\"422\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM-1024x422.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM-768x317.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.54.54-AM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h4 aria-level=\"4\"><i><span data-contrast=\"none\">Injector<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h4>\n<p><span data-contrast=\"auto\">The next stage is another PowerShell script responsible for injecting shellcode into a running process.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Before performing the injection, the script disables AMSI (Antimalware Scan Interface) using\u00a0script\u00a0from\u00a0<\/span><a href=\"https:\/\/github.com\/S3cur3Th1sSh1t\/Amsi-Bypass-Powershell?tab=readme-ov-file#patching-clr\"><span data-contrast=\"none\">GitHub &#8211; S3cur3Th1sSh1t\/Amsi-Bypass-Powershell.\u00a0<\/span><\/a><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229170\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM-1024x366.png\" alt=\"powershell script\" width=\"1024\" height=\"366\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM-1024x366.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM-300x107.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM-768x275.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM-205x73.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.56.03-AM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"TextRun SCXW27816671 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW27816671 BCX0\">After disabling AMSI, the script executes code that performs shellcode injection<\/span><span class=\"NormalTextRun SCXW27816671 BCX0\">,<\/span><\/span><span class=\"EOP SCXW27816671 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229185\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-1024x965.png\" alt=\"After disabling AMSI, the script executes code that performs shellcode injection, \" width=\"1024\" height=\"965\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-1024x965.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-300x283.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-768x724.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-137x129.png 137w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.57.13-AM.png 1050w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"TextRun SCXW160317021 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160317021 BCX0\">And injects in one of these<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">legitimate<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">pro<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">cesses<\/span><span class=\"NormalTextRun SCXW160317021 BCX0\">:<\/span><\/span><span class=\"EOP SCXW160317021 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229200\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM-1024x347.png\" alt=\"And injects in one of these legitimate processes: \" width=\"1024\" height=\"347\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM-1024x347.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM-300x102.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM-768x260.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM-205x70.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.58.12-AM.png 1044w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h4 aria-level=\"4\"><i><span data-contrast=\"none\">Shellcode<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h4>\n<p><span data-contrast=\"auto\">The injected shellcode unpacks and loads the final payload directly into memory,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4 aria-level=\"4\"><i><span data-contrast=\"none\">Final\u00a0Payload<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h4>\n<p><span data-contrast=\"auto\">The payload\u00a0observed\u00a0in this campaign is\u00a0a\u00a0clipper\u00a0malware. This type of malware changes cryptocurrency address in clipboard to that of attacker\u2019s\u00a0when user copies any address.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It starts by fetching the C2 server address, which it gets by a\u00a0technique\u00a0called\u00a0EtherHiding,\u00a0where\u00a0the\u00a0C2 server address is fetched from Ethereum blockchain.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229215\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-1024x995.png\" alt=\"It starts by fetching the C2 server address, which it gets by a technique called EtherHiding, where the C2 server address is fetched from Ethereum blockchain. \" width=\"1024\" height=\"995\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-1024x995.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-300x291.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-768x746.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-133x129.png 133w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM-48x48.png 48w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-9.59.38-AM.png 1052w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span data-contrast=\"auto\">Once the C2 server address is obtained, the malware begins reporting system activity to the server.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It then continuously\u00a0monitors\u00a0the clipboard contents.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-229230\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM-920x1024.png\" alt=\"Once the C2 server address is obtained, the malware begins reporting system activity to the server. It then continuously monitors the clipboard contents. \" width=\"920\" height=\"1024\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM-920x1024.png 920w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM-270x300.png 270w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM-768x854.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM-116x129.png 116w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.00.51-AM.png 942w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-229245\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.01.30-AM.png\" alt=\"It then continuously monitors the clipboard contents. \" width=\"870\" height=\"308\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.01.30-AM.png 870w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.01.30-AM-300x106.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.01.30-AM-768x272.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-01-at-10.01.30-AM-205x73.png 205w\" sizes=\"auto, (max-width: 870px) 100vw, 870px\" \/><\/p>\n<h2 aria-level=\"1\"><span data-contrast=\"none\">McAfee Coverage<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">McAfee\u00a0provides extensive\u00a0coverage against\u00a0CountLoader:\u202f<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Trojan:Script\/CountLoader4.DES<\/span><br \/>\n<span data-contrast=\"auto\">Trojan:Script\/JSBackdoor.HELK!2<\/span><br \/>\n<span data-contrast=\"auto\">Trojan:Shortcut\/LNKDownloader.HK<\/span><br \/>\n<span data-contrast=\"auto\">Trojan:Shortcut\/Worm.HELK<\/span><br \/>\n<span data-contrast=\"auto\">Trojan:Script\/ObfuPS.HELK<\/span><br \/>\n<span data-contrast=\"auto\">Trojan:Script\/AMSIBypass.STS!1<\/span><br \/>\n<span data-contrast=\"auto\">Ti!5F9FF671955A<\/span><br \/>\n<span data-contrast=\"auto\">Ti!DC602CB53A9C<\/span><\/p>\n<h2><span class=\"TextRun SCXW192945585 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW192945585 BCX0\" data-ccp-parastyle=\"heading 1\">Indicator<\/span><span class=\"NormalTextRun SCXW192945585 BCX0\" data-ccp-parastyle=\"heading 1\">s<\/span><span class=\"NormalTextRun SCXW192945585 BCX0\" data-ccp-parastyle=\"heading 1\">\u00a0Of Compromise<\/span><\/span><span class=\"EOP SCXW192945585 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<table style=\"font-weight: 400; height: 3108px;\" width=\"1037\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"53\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">\u00a0<\/span><b><span data-contrast=\"none\">IOC<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">EXE\u00a0(stage 1)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">PS\u00a0url\u00a0(stage 2)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/memory-scanner[.]cc\/Presentation[.]pdf<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">PS (stage 2)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td colspan=\"1\" rowspan=\"2\" data-celllook=\"69905\"><span data-contrast=\"none\">CountLoader\u00a0download URLs<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/memory-scanner[.]cc\/<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/hell1-kitty[.]cc\/update1_usb_usb_usb[.]VOcx4wEV8<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">CountLoader\u00a0v3.3<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td colspan=\"1\" rowspan=\"2\" data-celllook=\"69905\"><span data-contrast=\"none\">CountLoader\u00a0v4.1<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"9\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"10\">\n<td colspan=\"1\" rowspan=\"22\" data-celllook=\"69905\"><span data-contrast=\"none\">CountLoader\u00a0C2 Domains<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">hell1-kitty[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"11\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">alphazero1-endscape[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"12\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">api-microservice-us1[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"13\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">bucket-aws-s1[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"14\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">bucket-aws-s2[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"15\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">fileless-storage-s3[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"16\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">globalsnn1-new[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"17\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">globalsnn2-new[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"18\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">globalsnn3-new[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"19\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">handle-me-sv1[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"20\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">hardware-office[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"21\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">health-smooth-eu1[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"22\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">health-smooth-eu2[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"23\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">health-smooth-eu3[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"24\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">holiday-updateservice[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"25\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">memory-protection-layer1[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"26\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">memory-protection-layer2[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"27\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">microservice-update-s1-bucket[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"28\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">microservice-update-s2-bucket[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"29\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">my-smart-house1[.]com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"30\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">polystore9-servicebucket[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"31\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">s3-updatehub[.]cc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"32\">\n<td colspan=\"1\" rowspan=\"9\" data-celllook=\"69905\"><span data-contrast=\"none\">usb\u00a0lnk\u00a0files<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"33\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"34\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"35\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"36\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"37\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"38\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"39\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"40\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"41\">\n<td colspan=\"1\" rowspan=\"2\" data-celllook=\"69905\"><span data-contrast=\"none\">payload launcher\u00a0url<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/hell1-kitty[.]cc\/gamecenter[.]fileManager<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"42\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/hardware-office[.]cc\/foundation[.]halflife<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"43\">\n<td colspan=\"1\" rowspan=\"3\" data-celllook=\"69905\"><span data-contrast=\"none\">payload launcher<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td colspan=\"1\" rowspan=\"3\" data-celllook=\"69905\"><span data-contrast=\"none\">cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"46\">\n<td colspan=\"1\" rowspan=\"3\" data-celllook=\"69905\"><span data-contrast=\"none\">packer\u00a0url<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">http:\/\/45[.]156[.]87[.]118:3015\/select<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"47\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">http:\/\/45[.]156[.]87[.]62:3443\/production<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"48\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">http:\/\/104[.]253[.]1[.]137\/content<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"49\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">packer<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"50\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">injector<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"51\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">shellcode<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"52\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">payload<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"53\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">payload C2<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">https:\/\/edr-security-bucket1[.]cc\/<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of obfuscation and staged&#8230;<\/p>\n","protected":false},"author":695,"featured_media":126083,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10667,10661,13,442],"tags":[],"coauthors":[4136],"class_list":["post-228848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-news","category-internet-security","category-privacy-identity-protection","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-13T10:00:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Sinkholing CountLoader: Insights into Its Recent Campaign\",\"datePublished\":\"2026-05-13T10:00:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"},\"wordCount\":2089,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg\",\"articleSection\":[\"Security News\",\"Internet Security\",\"Privacy &amp; Identity Protection\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\",\"name\":\"Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg\",\"datePublished\":\"2026-05-13T10:00:36+00:00\",\"description\":\"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Sinkholing CountLoader: Insights into Its Recent Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog","description":"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog","og_description":"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-05-13T10:00:36+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Sinkholing CountLoader: Insights into Its Recent Campaign","datePublished":"2026-05-13T10:00:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/"},"wordCount":2089,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg","articleSection":["Security News","Internet Security","Privacy &amp; Identity Protection","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/","name":"Sinkholing CountLoader: Insights into Its Recent Campaign | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg","datePublished":"2026-05-13T10:00:36+00:00","description":"Authored\u00a0by Harshil Patel and\u00a0Sakshi\u00a0Jaiswal\u00a0 McAfee Labs has recently uncovered a large scale\u00a0CountLoader\u00a0campaign that uses multiple layers of","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/300x200_RiseofDeepLearning.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Sinkholing CountLoader: Insights into Its Recent Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/228848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=228848"}],"version-history":[{"count":11,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/228848\/revisions"}],"predecessor-version":[{"id":229423,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/228848\/revisions\/229423"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/126083"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=228848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=228848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=228848"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=228848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}