86,000 Systems Hijacked: Sinkholing the Global CountLoader Clipper Operation
Security researchers have identified a sophisticated, large-scale CountLoader campaign characterized by layered obfuscation, multi-stage payload delivery, and resilient command-and-control (C2) architectures. This campaign is specifically engineered to deploy cryptocurrency clipper malware, aiming to hijack digital asset transactions by intercepting clipboard data.
What sets this threat actor apart is the complexity of the infection chain. By weaving together JavaScript, PowerShell, and in-memory shellcode execution, the malware achieves a high degree of stealth, effectively bypassing traditional signature-based detection and maintaining a persistent foothold on compromised endpoints.
The Infection Vector and Execution Flow
The attack lifecycle begins with the execution of a malicious binary that immediately triggers a PowerShell one-liner. This script is designed to download and decode a heavily obfuscated JavaScript loader. To bypass security controls, the loader is executed through mshta.exe, a legitimate Windows utility frequently abused in “Living off the Land” (LotL) attacks to evade detection.
Once the loader achieves execution, it establishes persistence via scheduled tasks and initiates communication with a distributed network of C2 servers. As noted in a report by McAfee Labs, the malware employs a resilient connection strategy: it attempts to reach out to C2 servers in reverse order, continuing until it successfully establishes a handshake with a live controller.
The payload delivery follows a meticulously orchestrated multi-stage process:
- JavaScript Loader (CountLoader): Facilitated via
mshta.exeto initiate initial C2 contact. - PowerShell Packer: Acts as a decryption engine to unpack subsequent stages.
- Injector: A critical module that disables security features, such as the Antimalware Scan Interface (AMSI), and injects malicious shellcode into legitimate system processes.
- Shellcode Execution: The malware transitions to a fileless state, loading the payload directly into memory.
- Final Payload: The malware masquerades under
systeminfo.exeto execute the cryptocurrency clipper.
This fileless approach is a deliberate tactic to minimize the forensic footprint left on the disk, making it invisible to many standard antivirus solutions.
In a significant win for the defensive community, researchers identified a vulnerability in the C2 communication logic. By registering a backup domain (hell10-kitty[.]cc), they were able to “sinkhole” the traffic. Sinkholing allows researchers to redirect malicious traffic to a controlled environment, providing a real-time view of the infection scale without alerting the attackers.

Sinkholing malware communication (Source : McAfee Labs)
Through this sinkholing operation, the following metrics were observed:
- Connection Velocity: Approximately 5,000 infected systems connecting per minute.
- Global Infection Count: Roughly 86,000 unique infected machines.
- Geographic Distribution: While global, the highest density of infections was localized in India, followed by Indonesia, the United States, and various Southeast Asian nations.
Advanced Obfuscation and Propagation Mechanisms
The CountLoader campaign utilizes a custom-built encrypted protocol for C2 communications. To thwart network-level inspection, each message is encoded using a randomly generated six-digit key, combined with XOR operations and Base64 encoding. This makes identifying malicious patterns within encrypted traffic exceptionally difficult for standard Network Intrusion Detection Systems (NIDS).
Lateral Movement via Removable Media
Beyond network propagation, the malware spreads via USB drives. It employs a deceptive technique where it replaces legitimate files on a drive with malicious .LNK shortcuts. When a user attempts to open their file, the shortcut executes the malware first and then launches the original file, ensuring the user remains unaware of the compromise.

Infection Chain (Source : McAfee Labs)
The C2 infrastructure provides the attacker with a versatile toolkit, allowing them to:
- Remote execution of various file types (EXE, DLL, MSI, HTA, and PowerShell).
- Automated USB-based propagation.
- Exfiltration of detailed system and domain intelligence.
- Remote self-uninstallation to erase evidence during forensic investigations.
Telemetry suggests that USB-based propagation alone has accounted for nearly 9,000 infections.

Powershell Packer (Source : McAfee Labs)
The Final Objective: Cryptocurrency Theft
The ultimate goal of the CountLoader is the deployment of a cryptocurrency clipper. This malware monitors the system clipboard in real-time. When a user copies a cryptocurrency wallet address, the malware immediately swaps it with an address controlled by the attacker, leading to the direct theft of funds during a transaction.
To further evade detection, the malware employs EtherHiding—a technique that leverages blockchain platforms like Ethereum to store and retrieve C2 addresses. This makes the infrastructure highly resilient and difficult to block via traditional DNS filtering.
Furthermore, the malware conducts local reconnaissance to profile the infected system. It specifically searches for installed crypto wallets and browser extensions, allowing the threat actors to prioritize high-value targets for further exploitation. To ensure longevity, CountLoader uses scheduled tasks to re-execute every 30 to 60 minutes and features environmental awareness, modifying its behavior if it detects security software like CrowdStrike or Reason AV.
Indicators of Compromise (IOCs)
| IOC Type / Value |
|---|
| 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a |
| https://memory-scanner[.]cc/Presentation[.]pdf |
| 3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc |
| https://memory-scanner[.]cc/ |
| https://hell1-kitty[.]cc/update1_usb_usb_usb[.]VOcx4wEV8 |
| c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796 |
| e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63 |
| e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540 |
| hell1-kitty[.]cc |
| alphazero1-endscape[.]cc |
| api-microservice-us1[.]com |
| bucket-aws-s1[.]com |
| bucket-aws-s2[.]com |
| fileless-storage-s3[.]cc |
| globalsnn1-new[.]cc |
| globalsnn2-new[.]cc |
| globalsnn3-new[.]cc |
| handle-me-sv1[.]com |
| hardware-office[.]cc |
| health-smooth-eu1[.]com |
| health-smooth-eu2[.]com |
| health-smooth-eu3[.]com |
| holiday-updateservice[.]com |
| memory-protection-layer1[.]cc |
| memory-protection-layer2[.]cc |
| microservice-update-s1-bucket[.]cc |
| microservice-update-s2-bucket[.]cc |
| my-smart-house1[.]com |
| polystore9-servicebucket[.]cc |
| s3-updatehub[.]cc |
| 10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf |
| 0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf |
| 27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d |
| 2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068 |
| 30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9 |
| dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b |
| 42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3 |
| 9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d |
| 44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e |
| https://hell1-kitty[.]cc/gamecenter[.]fileManager |
| https://hardware-office[.]cc/foundation[.]halflife |
| cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca |
| 4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7 |
| 05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de |
| 44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73 |
| dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe |
| https://edr-security-bucket1[.]cc/ |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.