This article was originally published on ThreatChain — decentralized threat intelligence.
What CountLoader is, how it works, and how to defend against it.
Last month, a freelance graphic designer in Austin downloaded what looked like a free system utility — something called "coreosdatatool." It seemed harmless. Her antivirus didn't flag it. The file opened, appeared to do nothing interesting, and she moved on with her day.
What she didn't know: that file had just quietly opened a door into her computer. Within hours, a second piece of malware arrived through that door, then a third. Her saved browser passwords, client login credentials, and crypto wallet were all scooped up and sent to a server she'd never heard of. She didn't notice anything was wrong until a client called asking why their shared Dropbox had been accessed from Eastern Europe.
This is what CountLoader does. Not with a bang — with a whisper.
What Is CountLoader, Exactly?
CountLoader is what security researchers call a loader — think of it as a delivery truck for other malware. Its entire job is to sneak onto your computer, avoid detection, and then download and install other malicious software. It doesn't steal your files itself. It opens the gate so that more dangerous programs can walk right in.
The specific sample we're looking at today (first spotted on April 6, 2025) is a Windows executable — a 64-bit .exe file, about 600KB. It's been seen with file names like coreosdatatool.exe, coreosdatatool.scr, and hgehlomq.exe. Not exactly names that scream "danger," which is part of the point.
Here's the scary part: when this file was first submitted to VirusTotal (a service that scans files against dozens of antivirus engines), only 13 out of 76 antivirus products flagged it as malicious. That means the majority of security tools gave it a pass. Some sandboxes — automated environments designed to watch software behave — even called it "clean."
CountLoader is good at hiding.
How Does It Get On Your Machine?
This particular sample was tagged as "dropped by Amadey." Amadey is another well-known piece of malware — a botnet loader that's been around for years. Think of it like a chain: you might first get infected with Amadey (often through a phishing email, a cracked software download, or a malicious ad), and then Amadey installs CountLoader, and then CountLoader installs even more malware.
It's infection by assembly line.
The file names give us clues about how it might also spread on its own. The name coreosdatatool sounds like a legitimate system utility. The .scr extension (normally used for screensavers) is a classic trick — Windows treats .scr files the same as .exe files, but people are less suspicious of them. You might see this distributed on sketchy download sites disguised as a free tool or bundled with pirated software.
What Happens After Infection?
This is where things get layered. Based on what researchers have found in this sample, CountLoader comes packed with capabilities — or at least connections to capabilities — that go well beyond "just" being a delivery truck.
It checks if anyone is watching. The sample triggers a YARA rule (a pattern-matching tool researchers use) called DebuggerCheck__API. In plain English: the malware looks around to see if it's being analyzed in a security lab. If it detects a debugger — a tool researchers use to study software line by line — it can change its behavior or shut down entirely. It's like a burglar who cases a house and leaves if they spot security cameras.
It may carry Cobalt Strike components. Cobalt Strike is a legitimate tool that security professionals use to test networks — but it's been widely pirated by actual criminals. When attackers deploy Cobalt Strike on your machine, they get a powerful remote control. They can browse your files, capture your keystrokes, move to other computers on your network, and maintain access for weeks or months. The sample matched a Cobalt Strike signature, which suggests CountLoader either carries Cobalt Strike components or is designed to fetch them.
It's written in Go. The malware is built using Go (Golang), a programming language developed by Google. Attackers increasingly love Go because it compiles into large, complex binaries that are harder for antivirus tools to analyze — which partly explains the low detection rate. It's like writing a ransom note in a language most translators don't speak.
There are ransomware connections. The sample also matched a signature called VECT_Ransomware. While CountLoader itself isn't ransomware (software that encrypts your files and demands payment), it appears designed to deliver ransomware as one of its payloads. Today it's stealing passwords; tomorrow it could be locking your files.
Who Should Care?
Honestly? Anyone running Windows. But CountLoader's delivery chain — pirated software, fake utilities, phishing emails — means certain groups are especially at risk:
- Small businesses without dedicated IT security teams
- Freelancers and remote workers who install their own software
- Anyone who downloads free tools from unofficial sources
- Organizations using older or unpatched Windows systems
The real-world impact isn't theoretical. CountLoader is part of an ecosystem. Once it's on your machine, the attackers can deploy credential stealers (grabbing your saved passwords), ransomware (locking your files for payment), or cryptominers (using your computer's processing power to mine cryptocurrency, slowing everything to a crawl). For a small business, a single CountLoader infection could lead to a data breach, client exposure, and days of downtime.
The Details (For Those Who Want Them)
| Detail | Value |
|---|---|
| File hash (SHA-256) | 6b2e9e457b8468a60b8f84952da717ce9ec7776e20be2b3d4f2b5c4c815c749f |
| MD5 | 31793e4770d696f1eb0e2de62c7f4135 |
| File type | Win32 PE32+ executable (64-bit, GUI) |
| File size | ~606 KB |
| Known file names |
coreosdatatool.exe, coreosdatatool.scr, hgehlomq.exe
|
| Family | CountLoader (also associated with MintsLoader) |
| Delivery method | Dropped by Amadey botnet |
| Detection rate | 13/76 on VirusTotal |
| Vendor verdicts | Kaspersky: Malware · FileScan-IO: Malicious · Intezer: Suspicious · Spamhaus: Suspicious |
What You Can Do Right Now
You don't need a six-figure security budget to protect yourself from CountLoader. Here are five concrete things you can do today:
Don't download software from unofficial sources. That free "system tool" on a random forum? That cracked version of Photoshop? These are exactly the kind of things that carry loaders like this. Stick to official websites, app stores, and verified publishers.
Keep Windows Update turned on. Seriously. Many of the secondary payloads CountLoader delivers rely on known vulnerabilities that Microsoft has already patched. Automatic updates are your friend.
Use a reputable antivirus — but don't trust it blindly. Only 13 out of 76 engines caught this one initially. Antivirus is one layer of protection, not a guarantee. Pair it with common-sense habits.
Back up your files regularly. If CountLoader delivers ransomware, your backup is your lifeline. Use an external drive or a cloud backup service, and make sure at least one copy isn't permanently connected to your computer (so ransomware can't encrypt the backup too).
Be suspicious of
.scrfiles. If you download something and it's a screensaver file you didn't ask for, delete it. Legitimate software almost never comes as.scr.
CountLoader isn't flashy. It doesn't announce itself with a ransom screen or a dramatic pop-up. It sits quietly, opens doors, and lets worse things in. That patience is exactly what makes it dangerous — and exactly why it's worth knowing about before it shows up on your machine.
Top comments (0)