Cybersecurity researchers have unveiled a campaign that exploits cracked software distribution sites to spread a sophisticated malware loader called CountLoader. This loader is part of a multi-stage attack that targets users downloading illegitimate versions of software like Microsoft Word. Instead of the intended software, users are redirected to a MediaFire link containing a malicious ZIP file. Inside, there's an encrypted ZIP and a seemingly harmless Word document that reveals the password to access it. The payload includes a modified Python interpreter that runs a malicious command to fetch CountLoader 3.2 from a remote server. CountLoader has an array of capabilities, including the ability to download and execute various payloads, collect system information, and propagate through removable drives. Notably, it can adapt its persistence methods based on the security tools installed on the target system, such as CrowdStrike’s Falcon. The campaign culminates with the deployment of ACR Stealer, which steals sensitive data from infected machines. This showcases an evolving sophistication in malware tactics, emphasizing the need for robust detection and defense mechanisms. In a related development, Check Point reported on GachiLoader, a JavaScript malware loader disseminated through compromised YouTube accounts. This loader employs a novel PE injection technique, allowing it to replace legitimate DLLs with malicious payloads on the fly. Approximately 100 YouTube videos, linked to 39 compromised accounts, have been flagged, racking up around 220,000 views before many were taken down. GachiLoader not only deploys additional malware but also executes anti-analysis checks to evade detection, including attempts to gain admin privileges and kill processes associated with Microsoft Defender. This highlights a concerning trend in malware distribution methods and the ongoing arms race between malware authors and security researchers.