Recent findings from cybersecurity firm Silent Push indicate that Russian ransomware groups have introduced a sophisticated new threat known as CountLoader. This malware is not merely a conventional virus; it functions as a loader, specifically designed to infiltrate devices and install more dangerous software, including ransomware. CountLoader serves as a crucial gateway for prominent cybercriminal organizations such as LockBit, BlackBasta, and Qilin, providing them with the initial entry they require to execute their cyberattacks.
Currently, CountLoader is distributed in three different formats: .NET, PowerShell, and JScript. The analysis by Silent Push suggests that CountLoader may be utilized either by Initial Access Brokers (IABs), who sell access to breached networks, or by affiliates of the ransomware groups directly involved in these illicit activities.
Recent Phishing Campaign
Silent Push’s research also sheds light on a recent phishing campaign that employed CountLoader to target individuals in Ukraine. The attackers impersonated Ukrainian law enforcement, using a deceptive PDF document as bait to entice victims into downloading and executing the CountLoader malware.
While researchers from Kaspersky and Cyfirma had previously identified similar campaigns, Silent Push’s investigation has unveiled a more comprehensive understanding of CountLoader’s operations. Kaspersky’s team first noted the PowerShell variant in June 2025, while Cyfirma could not provide details about the command and control domain tied to the attack.
Silent Push, however, noted that their research uncovered several unique campaigns utilizing various lures and targeting strategies. The firm articulated that they employed a distinctive fingerprinting methodology to trace the malware, allowing them to identify a network of over 20 distinct domains associated with CountLoader. This investigative approach also linked the malware to specific indicators previously observed in other attacks, reinforcing its connections to the LockBit, BlackBasta, and Qilin groups.
Indicators of Russian Involvement
Additionally, Silent Push discovered that one version of CountLoader used a user agent that mimics the Yandex browser, a widely used search engine in Russia. This detail, coupled with the targeting of Ukrainian citizens, raises significant suspicions regarding the involvement of Russian-speaking threat actors. This research presents a detailed perspective on how Russian ransomware operations have evolved, enhancing their methodologies for breaching and compromising networks.
In terms of potential tactics that may have been employed during the attack, the MITRE ATT&CK framework provides insights. Techniques such as initial access—wherein attackers gain entry through phishing, persistence, which maintains a foothold within a system, and privilege escalation, which allows them to gain higher-level permissions, could all represent key components of this threat. As cyber threats continue to advance, maintaining awareness and understanding of the tactics utilized by adversaries will be essential for business owners to effectively protect their networks.
