Headline
Fake Ukrainian Police Emails Spread New CountLoader Malware Loader
A new malware loader, CountLoader, has been discovered by cybersecurity firm Silent Push. This threat is linked to prominent Russian ransomware gangs, including LockBit, BlackBasta, and Qilin, and is being used as an initial access broker.
New research from cybersecurity firm Silent Push reveals that Russian ransomware gangs are using a new type of malicious program, dubbed CountLoader. This isn’t just a regular piece of malware; it’s a malware loader.
This means its main job is to target a device and install other, more harmful programs, including ransomware. It basically acts as a key entry point for major cybercrime groups like LockBit, BlackBasta, and Qilin, giving them the initial access they need to launch their attacks.
CountLoader malware loader is currently being delivered in three different versions, including .NET, PowerShell, and JScript. Silent Push’s analysis suggests that CountLoader is either a tool used by Initial Access Brokers (IABs, or cybercriminals that sell access to compromised networks) or by affiliates of the ransomware groups themselves.
****Fake Police Campaign****
The research highlights a recent campaign where CountLoader was used in phishing attacks aimed at people in Ukraine. The hackers impersonated the Ukrainian police with a fake PDF document as a lure to trick victims into downloading and running CountLoader.
The phishing document used to lure victims, with a translated version (Credit: Silent Push).
In the blog post shared with Hackread.com, Silent Push noted that while researchers at Kaspersky and Cyfirma had spotted similar campaigns, they only saw a portion of the malware’s full operations.
Kaspersky’s team, for instance, had observed the PowerShell version in June 2025, while Cyfirma couldn’t get details about the C2 (command and control) domain: app-updaterapp.
Silent Push’s research, however, revealed the full picture. “Our team identified indications of several additional unique campaigns utilising various other lures and targeting methods,” the firm said.
****Key Connections****
To track the malware, researchers developed a unique fingerprint, which is a combination of technical details that helps identify other related servers and domains. So far, they have found more than 20 unique domains used by CountLoader. They also connected the malware to specific digital watermarks used in other attacks, further confirming its ties to the LockBit, BlackBasta, and Qilin groups.
Silent Push’s analysis revealed additional connections to Russian cybercrime. One version of the malware uses a user agent that mimics the Yandex browser, which is a popular search engine in Russia.
This detail, along with the targeting of Ukrainian citizens, strengthens the suspicion that Russian-speaking threat actors are behind the campaign. This new research provides an in-depth look into how Russian ransomware groups are taking their tactics to breach and compromise networks a step further.