rNyWw E

86,000 Systems Hijacked: Sinkholing the Global CountLoader Clipper Operation

Security researchers have identified a sophisticated, large-scale CountLoader campaign characterized by layered obfuscation, multi-stage payload delivery, and resilient command-and-control (C2) architectures. This campaign is specifically engineered to deploy cryptocurrency clipper malware, aiming to hijack digital asset transactions by intercepting clipboard data.

What sets this threat actor apart is the complexity of the infection chain. By weaving together JavaScript, PowerShell, and in-memory shellcode execution, the malware achieves a high degree of stealth, effectively bypassing traditional signature-based detection and maintaining a persistent foothold on compromised endpoints.

The Infection Vector and Execution Flow

The attack lifecycle begins with the execution of a malicious binary that immediately triggers a PowerShell one-liner. This script is designed to download and decode a heavily obfuscated JavaScript loader. To bypass security controls, the loader is executed through mshta.exe, a legitimate Windows utility frequently abused in “Living off the Land” (LotL) attacks to evade detection.

Once the loader achieves execution, it establishes persistence via scheduled tasks and initiates communication with a distributed network of C2 servers. As noted in a report by McAfee Labs, the malware employs a resilient connection strategy: it attempts to reach out to C2 servers in reverse order, continuing until it successfully establishes a handshake with a live controller.

The payload delivery follows a meticulously orchestrated multi-stage process:

  • JavaScript Loader (CountLoader): Facilitated via mshta.exe to initiate initial C2 contact.
  • PowerShell Packer: Acts as a decryption engine to unpack subsequent stages.
  • Injector: A critical module that disables security features, such as the Antimalware Scan Interface (AMSI), and injects malicious shellcode into legitimate system processes.
  • Shellcode Execution: The malware transitions to a fileless state, loading the payload directly into memory.
  • Final Payload: The malware masquerades under systeminfo.exe to execute the cryptocurrency clipper.

This fileless approach is a deliberate tactic to minimize the forensic footprint left on the disk, making it invisible to many standard antivirus solutions.

In a significant win for the defensive community, researchers identified a vulnerability in the C2 communication logic. By registering a backup domain (hell10-kitty[.]cc), they were able to “sinkhole” the traffic. Sinkholing allows researchers to redirect malicious traffic to a controlled environment, providing a real-time view of the infection scale without alerting the attackers.

Sinkholing malware communication (Source : McAfee Labs).
Sinkholing malware communication (Source : McAfee Labs)

Through this sinkholing operation, the following metrics were observed:

  • Connection Velocity: Approximately 5,000 infected systems connecting per minute.
  • Global Infection Count: Roughly 86,000 unique infected machines.
  • Geographic Distribution: While global, the highest density of infections was localized in India, followed by Indonesia, the United States, and various Southeast Asian nations.

Advanced Obfuscation and Propagation Mechanisms

The CountLoader campaign utilizes a custom-built encrypted protocol for C2 communications. To thwart network-level inspection, each message is encoded using a randomly generated six-digit key, combined with XOR operations and Base64 encoding. This makes identifying malicious patterns within encrypted traffic exceptionally difficult for standard Network Intrusion Detection Systems (NIDS).

Lateral Movement via Removable Media

Beyond network propagation, the malware spreads via USB drives. It employs a deceptive technique where it replaces legitimate files on a drive with malicious .LNK shortcuts. When a user attempts to open their file, the shortcut executes the malware first and then launches the original file, ensuring the user remains unaware of the compromise.

Infection Chain (Source : McAfee Labs).
Infection Chain (Source : McAfee Labs)

The C2 infrastructure provides the attacker with a versatile toolkit, allowing them to:

  • Remote execution of various file types (EXE, DLL, MSI, HTA, and PowerShell).
  • Automated USB-based propagation.
  • Exfiltration of detailed system and domain intelligence.
  • Remote self-uninstallation to erase evidence during forensic investigations.

Telemetry suggests that USB-based propagation alone has accounted for nearly 9,000 infections.

Powershell Packer (Source : McAfee Labs).
Powershell Packer (Source : McAfee Labs)

The Final Objective: Cryptocurrency Theft

The ultimate goal of the CountLoader is the deployment of a cryptocurrency clipper. This malware monitors the system clipboard in real-time. When a user copies a cryptocurrency wallet address, the malware immediately swaps it with an address controlled by the attacker, leading to the direct theft of funds during a transaction.

To further evade detection, the malware employs EtherHiding—a technique that leverages blockchain platforms like Ethereum to store and retrieve C2 addresses. This makes the infrastructure highly resilient and difficult to block via traditional DNS filtering.

Furthermore, the malware conducts local reconnaissance to profile the infected system. It specifically searches for installed crypto wallets and browser extensions, allowing the threat actors to prioritize high-value targets for further exploitation. To ensure longevity, CountLoader uses scheduled tasks to re-execute every 30 to 60 minutes and features environmental awareness, modifying its behavior if it detects security software like CrowdStrike or Reason AV.

Indicators of Compromise (IOCs)

IOC Type / Value
5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a
https://memory-scanner[.]cc/Presentation[.]pdf
3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc
https://memory-scanner[.]cc/
https://hell1-kitty[.]cc/update1_usb_usb_usb[.]VOcx4wEV8
c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796
e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63
e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540
hell1-kitty[.]cc
alphazero1-endscape[.]cc
api-microservice-us1[.]com
bucket-aws-s1[.]com
bucket-aws-s2[.]com
fileless-storage-s3[.]cc
globalsnn1-new[.]cc
globalsnn2-new[.]cc
globalsnn3-new[.]cc
handle-me-sv1[.]com
hardware-office[.]cc
health-smooth-eu1[.]com
health-smooth-eu2[.]com
health-smooth-eu3[.]com
holiday-updateservice[.]com
memory-protection-layer1[.]cc
memory-protection-layer2[.]cc
microservice-update-s1-bucket[.]cc
microservice-update-s2-bucket[.]cc
my-smart-house1[.]com
polystore9-servicebucket[.]cc
s3-updatehub[.]cc
10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf
0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf
27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d
2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068
30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9
dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b
42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3
9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d
44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e
https://hell1-kitty[.]cc/gamecenter[.]fileManager
https://hardware-office[.]cc/foundation[.]halflife
cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca
4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7
05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de
44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73
dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe
https://edr-security-bucket1[.]cc/

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Related Articles

Back to top button