Sinkholing CountLoader: Insights into Its Recent Campaign

Date: 05/21/2026

Severity: High

Summary

A large-scale CountLoader campaign was observed using heavily obfuscated, multi-stage infection chains involving PowerShell, JavaScript executed through mshta.exe, and in-memory shellcode injection to evade detection and maintain persistence. Researchers successfully sinkholed a backup C2 domain, revealing extensive infrastructure activity with thousands of infected systems and widespread propagation, including through USB devices. The campaign ultimately deployed cryptocurrency clipper malware, designed to hijack clipboard contents and redirect cryptocurrency transactions to attacker-controlled wallets.

Indicators of Compromise (IOC) List

Urls/Domains

hell1-kitty.cc

alphazero1-endscape.cc

api-microservice-us1.com

bucket-aws-s1.com

bucket-aws-s2.com

fileless-storage-s3.cc

globalsnn1-new.cc

globalsnn2-new.cc

globalsnn3-new.cc

handle-me-sv1.com

hardware-office.cc

health-smooth-eu1.com

health-smooth-eu2.com

health-smooth-eu3.com

holiday-updateservice.com

memory-protection-layer1.cc

memory-protection-layer2.cc

microservice-update-s1-bucket.cc

microservice-update-s2-bucket.cc

my-smart-house1.com

polystore9-servicebucket.cc

s3-updatehub.cc

https://hell1-kitty.cc/gamecenter.fileManager

https://hardware-office.cc/foundation.halflife

https://edr-security-bucket1.cc/

https://memory-scanner.cc/Presentation.pdf

https://memory-scanner.cc/

https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8

Hash

3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc

5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a

c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796

e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63

e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540

10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf

0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf

27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d

2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068

30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9

dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b

42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3

9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d

44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e

cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca

4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7

05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de

44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73

dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :

domainname like "globalsnn1-new.cc" or url like "globalsnn1-new.cc" or siteurl like "globalsnn1-new.cc" or domainname like "https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8" or url like "https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8" or siteurl like "https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8" or domainname like "health-smooth-eu1.com" or url like "health-smooth-eu1.com" or siteurl like "health-smooth-eu1.com" or domainname like "https://edr-security-bucket1.cc/" or url like "https://edr-security-bucket1.cc/" or siteurl like "https://edr-security-bucket1.cc/" or domainname like "holiday-updateservice.com" or url like "holiday-updateservice.com" or siteurl like "holiday-updateservice.com" or domainname like "memory-protection-layer1.cc" or url like "memory-protection-layer1.cc" or siteurl like "memory-protection-layer1.cc" or domainname like "microservice-update-s1-bucket.cc" or url like "microservice-update-s1-bucket.cc" or siteurl like "microservice-update-s1-bucket.cc" or domainname like "https://hell1-kitty.cc/gamecenter.fileManager" or url like "https://hell1-kitty.cc/gamecenter.fileManager" or siteurl like "https://hell1-kitty.cc/gamecenter.fileManager" or domainname like "polystore9-servicebucket.cc" or url like "polystore9-servicebucket.cc" or siteurl like "polystore9-servicebucket.cc" or domainname like "bucket-aws-s2.com" or url like "bucket-aws-s2.com" or siteurl like "bucket-aws-s2.com" or domainname like "https://memory-scanner.cc/" or url like "https://memory-scanner.cc/" or siteurl like "https://memory-scanner.cc/" or domainname like "handle-me-sv1.com" or url like "handle-me-sv1.com" or siteurl like "handle-me-sv1.com" or domainname like "https://memory-scanner.cc/Presentation.pdf" or url like "https://memory-scanner.cc/Presentation.pdf" or siteurl like "https://memory-scanner.cc/Presentation.pdf" or domainname like "fileless-storage-s3.cc" or url like "fileless-storage-s3.cc" or siteurl like "fileless-storage-s3.cc" or domainname like "memory-protection-layer2.cc" or url like "memory-protection-layer2.cc" or siteurl like "memory-protection-layer2.cc" or domainname like "my-smart-house1.com" or url like "my-smart-house1.com" or siteurl like "my-smart-house1.com" or domainname like "globalsnn3-new.cc" or url like "globalsnn3-new.cc" or siteurl like "globalsnn3-new.cc" or domainname like "s3-updatehub.cc" or url like "s3-updatehub.cc" or siteurl like "s3-updatehub.cc" or domainname like "health-smooth-eu2.com" or url like "health-smooth-eu2.com" or siteurl like "health-smooth-eu2.com" or domainname like "globalsnn2-new.cc" or url like "globalsnn2-new.cc" or siteurl like "globalsnn2-new.cc" or domainname like "microservice-update-s2-bucket.cc" or url like "microservice-update-s2-bucket.cc" or siteurl like "microservice-update-s2-bucket.cc" or domainname like "health-smooth-eu3.com" or url like "health-smooth-eu3.com" or siteurl like "health-smooth-eu3.com" or domainname like "hell1-kitty.cc" or url like "hell1-kitty.cc" or siteurl like "hell1-kitty.cc" or domainname like "bucket-aws-s1.com" or url like "bucket-aws-s1.com" or siteurl like "bucket-aws-s1.com" or domainname like "https://hardware-office.cc/foundation.halflife" or url like "https://hardware-office.cc/foundation.halflife" or siteurl like "https://hardware-office.cc/foundation.halflife" or domainname like "alphazero1-endscape.cc" or url like "alphazero1-endscape.cc" or siteurl like "alphazero1-endscape.cc" or domainname like "api-microservice-us1.com" or url like "api-microservice-us1.com" or siteurl like "api-microservice-us1.com" or domainname like "hardware-office.cc" or url like "hardware-office.cc" or siteurl like "hardware-office.cc"

Detection Query 2 :

sha256hash IN ("2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068","10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf","3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc","30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9","27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d","cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca","dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe","5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a","05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de","9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d","dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b","0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf","c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796","42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3","44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e","44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73","4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7","e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63","e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540")

Reference:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/

Sinkholing CountLoader: Insights into Its Recent Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Sinkholing CountLoader: Insights into Its Recent Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments