high🎣Phishing

publishedMarch 12, 2026

CountLoader Day 4: Infrastructure Rotation, Protocol Simplification, and 28 New Samples

Four days of continuous tracking reveal a campaign that rewrites its own plumbing faster than defenders can block it

Threat Actors:ProfileAssessment

#countloader#html-smuggling#campaign-tracking#mshta#crypto-stealer#bulletproof-hosting#c2-protocol#active-directory

CountLoader Day 4: Infrastructure Rotation, Protocol Simplification, and 28 New Samples

Published: 2026-03-12 | Author: Breakglass Intelligence | Tags: malware, campaign-tracking, infostealer, C2, HTML smuggling, cryptocurrency

TL;DR

On March 8, we cracked CountLoader's wire protocol and mapped four C2 servers. Four days later, the operator has rotated three of those four server IPs, registered two new C2 domains, deployed a new tracking beacon, simplified the wire protocol by dropping its UTF-16LE encoding layer, and pushed 28 new samples through MalwareBazaar -- all while keeping the same CLSID fingerprint, the same 76 wallet extension targets, and the same Active Directory reconnaissance module. This is a campaign in active daily evolution, and this post documents what changed, what stayed the same, and what defenders need to update.

Why a Campaign Evolution Post

Breakglass Intelligence has published two prior CountLoader reports:

March 8 -- Initial discovery. We reverse-engineered the full C2 wire protocol, registered bots on live panels, extracted four modules (AD recon, wallets, extensions, config), and documented the ccleaner[.]gl fake installer chain.
March 9 -- Six polyglot HTA files disguised as .wav, .xml, .mp4, .ini, and .csv. Mapped five AlexHost-hosted C2 domains behind six separate Cloudflare accounts. Identified 76 crypto wallet extension IDs and a Russian-language error string.

Between March 9 and March 12, we ran two additional investigations triggered by new MalwareBazaar submissions. The combined findings paint a picture of an operator who is actively monitoring takedown efforts and rotating infrastructure faster than most organizations update their blocklists. Rather than publish two more standalone reports, we are consolidating the findings into this single campaign-tracking update.

The Scoreboard: March 8 vs. March 12

Metric	March 8	March 12	Change
Known C2 domains	4	7	+3 new domains
Known C2 IPs	4	9+	+5 new IPs, 3 rotated
Tracking beacons	1 (`burning-edge[.]sbs`)	2 (+`explorer[.]vg`)	+1 new beacon
Unique samples	5 HTA payloads	33 total (5 original + 25 polyglot + 3 HTML smuggling)	+28 samples in 4 days
Auth keys observed	5	8	+3 new keys
XOR key variants	4 (none, 610, 923, complex)	7 (+0, +17, +777)	Builder generating new keys per batch
Wire protocol version	UTF-16LE + base64 + XOR	base64 + XOR (simplified)	Protocol revision in the field
Hosting providers	4 (PFCLOUD, Hosteons, Hetzner, Newserverlife)	7+ (+AS56971 Cloud HK, +DF-TRANSIT DE, +AVAHOHST MD)	Geographic diversification
Countries hosting infra	4 (DE, SG, FI, PL)	8+ (+MD, BG, AE, RU, GB, HK)	Spread across jurisdictions
Confirmed version	Unknown	v4.1.1	Version string extracted

What Rotated: Infrastructure Churn in 96 Hours

The most significant operational finding is the speed of infrastructure rotation. Three of four original C2 IPs were replaced between March 8 and March 12:

Domain	March 8 IP	March 12 IP	Old ASN	New ASN
`ccleaner[.]gl`	192[.]109[.]200[.]130	178[.]255[.]222[.]234	PFCLOUD (AS51396), DE	AS56971 Cloud, HK
`web3-walletnotify[.]cc`	82[.]29[.]72[.]214	85[.]121[.]148[.]80	Hosteons, SG	AVAHOHST, MD
`communicationfirewall-security[.]cc`	Cloudflare-proxied	82[.]29[.]128[.]113	Cloudflare	Hosteons, GB
`burning-edge[.]sbs`	65[.]21[.]174[.]205	65[.]21[.]174[.]205	Hetzner, DE	Hetzner, DE (unchanged)

The ccleaner[.]gl move is the most telling. The original IP at 192[.]109[.]200[.]130 on PFCLOUD -- a provider we flagged in our March 8 report for sharing a /24 with known QuasarRAT C2 -- was abandoned for an IP on AS56971, a Hong Kong-registered cloud provider. The operator read the room (or read our report) and moved.

communicationfirewall-security[.]cc dropped its Cloudflare proxy entirely and now resolves directly to a Hosteons IP in the UK. This is tactically interesting: Cloudflare proxying provides DDoS protection and origin IP concealment, but it also means Cloudflare can terminate the domain for abuse. By moving to a direct IP, the operator trades protection for persistence.

The only domain that did not rotate is burning-edge[.]sbs on Hetzner, which serves as a tracking beacon rather than a C2 panel. Beacons are less likely to be reported because they do not serve malware directly.

What's New: Two C2 Domains and a Fresh Beacon

favourite-guide[.]cc

First certificate issued on 2026-02-11 -- a full month before the March 12 samples that reference it. This domain was pre-staged infrastructure, sitting dormant with valid TLS until the operator activated it. It resolves to 94[.]26[.]106[.]134 on AS215607 (DF-TRANSIT, Germany), a provider not previously seen in CountLoader infrastructure. Shodan shows ports 22 (SSH), 3389 (RDP), 5357 (WSD), and 5985 (WinRM) open -- a Windows server with remote management exposed.

The Cloudflare NS pair (nelly/quentin) is unique to this domain, continuing the operator's pattern of one Cloudflare account per domain.

indeanapolice[.]cc

First certificate issued on 2025-12-22 -- nearly three months of dormancy before activation. The domain name is a misspelling of "Indianapolis Police," which is either a crude social engineering theme or simply a non-native English speaker's best effort. It resolves to 94[.]183[.]233[.]21 on AS56971 (Cloud, HK), geolocating to the UAE. Nginx 1.24.0 on ports 80/443.

This domain serves dual roles depending on the sample: it is a C2 server for some payloads and a tracking beacon for others. The March 12 Dataset_Old_v7.1.mp4 sample uses it as a beacon, while the March 11 investigation found it in the C2 domain series alongside fileless-market[.]cc and immortal-service[.]cc.

explorer[.]vg

A clean replacement for burning-edge[.]sbs as the tracking beacon. First certificate on 2026-02-28, renewed on 2026-03-11 -- the day before the latest samples appeared. Resolves to 45[.]156[.]23[.]185 on AS56971 (Cloud, HK), geolocated to Russia. The .vg TLD (British Virgin Islands) is an unusual choice that may help evade TLD-based blocking rules.

What Changed: The Protocol Got Simpler

The March 8 investigation documented a five-step encoding process for C2 communication:

March 8 (original):  plaintext -> XOR -> prepend key -> UTF-16LE -> base64
March 12 (v4.1.1):   plaintext -> XOR -> prepend key -> base64

Version 4.1.1 drops the UTF-16LE encoding step entirely. The practical effect: encoded payloads are roughly half the size, and the protocol is marginally faster to encode/decode. The security effect: zero. The XOR key is still transmitted in plaintext alongside the ciphertext. This is obfuscation theater -- but the simplification may indicate the operator encountered compatibility issues with the UTF-16LE step across different Windows locales, or simply decided the extra layer was not worth the performance cost.

We confirmed the protocol change is functional by successfully probing all three new C2 servers:

Domain	Probe	Response	Timestamp
`communicationfirewall-security[.]cc`	checkStatus	success	2026-03-12
`favourite-guide[.]cc`	checkStatus	success	2026-03-12
`indeanapolice[.]cc`	checkStatus	success	2026-03-12

All three panels are live and accepting connections.

What Stayed the Same: The Campaign Fingerprint

Despite all the infrastructure churn, the following elements are identical across every sample from March 8 through March 12:

CLSID: {0830A3F8-70B8-40E1-A0F3-E0EC9092F861} -- present in every HTA payload, stable across 33 samples
76 crypto wallet extension IDs -- MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Ledger Live, and 70 others
66 browser profile paths -- Chrome, Edge, Brave, Opera, Vivaldi, and all Chromium derivatives
Anti-sandbox checks -- AZURE-PC hostname, "Bruno" username, SYSTEM/SISTEMA locale, CrowdStrike Falcon detection
6 download methods -- PowerShell, curl, bitsadmin, certutil, msiexec, VBScript XMLHTTP
Persistence -- PT30M scheduled task (every 30 minutes), P760D duration (~2 years), HKCU\Run registry key, HTA relaunch
10 task types -- Including USB spreading (type 9) and AD reconnaissance (type 5)
Module hashes -- AD, wallets, extensions, and config modules unchanged (same MD5s as March 8)
JWT audience -- MyServerAudit hardcoded in all panel responses

The CLSID alone is a reliable detection anchor. It has not changed across 33 samples, 7 C2 domains, and 4 days of operation. Until the operator modifies their builder template, this is the single most reliable static indicator for CountLoader.

The Sample Pipeline: 28 in 4 Days

March 9-11: The Polyglot Wave (25 samples)

Between March 9 and March 11, 25 CountLoader HTA files were uploaded to MalwareBazaar, all following an automated filename pattern: [Word]_[Word]_[Word]_[Number].[Extension].

The word pool draws from a curated list of business-themed terms: Summer, Data, Primary, Quantum, Session, Report, Finance, Global, Project, Archive, Invoice, Meeting, Travel, Photos, Sales, Design, Work, Backup. The extension pool spans 18 file types (.rar, .pptx, .wav, .txt, .jpeg, .csv, .xml, .docx, .bin, .cfg, .webp, .mp4, .json, .ini, .jpg, .pdf, .xlsx, .bak), none of which are .hta.

The March 11 investigation indexed these samples and confirmed them as CountLoader by cross-referencing URLhaus tags, YARA rule matches (CP_Script_Inject_Detector, Sus_CMD_Powershell_Usage), and file size clustering. The consistent size range of 111-127 KB across all 25 samples suggests a builder template with variable-length padding or obfuscation, not hand-crafted payloads.

This wave was delivered via the typosquatting domain ccleaner[.]gl and associated delivery infrastructure on AlexHost (Moldova) and Tamatiya/4vendeta (Bulgaria).

March 12: The HTML Smuggling Batch (3 samples)

On March 12, three more samples appeared with the same filename convention but notably different internal structure:

SHA256	Filename	XOR Key	Auth Key	Primary C2	Secondary C2
`ddfb69cc...`	Meeting_X_Images_948.7z	17	LDXXE49D053MVPQM5MS3	communicationfirewall-security[.]cc	favourite-guide[.]cc
`136ee188...`	Release_Office__72.jpeg	777	733EI487XG0G6RV9ZY6F	communicationfirewall-security[.]cc	N/A
`831886b3...`	Dataset_Old_v7.1.mp4	0	0J86JU1J4RIUBNLJ2BF5	communicationfirewall-security[.]cc	favourite-guide[.]cc

Each sample uses a unique combination of XOR key, auth key, and variable names -- generated by the CountLoader builder per payload. Two of the three samples include a secondary C2 (favourite-guide[.]cc), while the single-C2 variant has 380 string table entries versus 382 for the dual-C2 variants. This 380 vs. 382 pattern matches exactly what we observed in March 8 payloads (where ccleaner[.]gl had 382 entries and web3-walletnotify[.]cc had 380).

All three confirmed as version 4.1.1 with the simplified protocol.

Infrastructure Map: The Full Picture

All Known C2 Domains (as of March 12)

Domain	First Cert	Current IP	ASN	Role	Status
`ccleaner[.]gl`	2026-03-03	178[.]255[.]222[.]234	AS56971 (HK)	Panel + delivery	LIVE
`web3-walletnotify[.]cc`	2025-12-16	85[.]121[.]148[.]80	AVAHOHST (MD)	C2 + tasking	LIVE
`bigbrainsholdings[.]com`	Unknown	85[.]121[.]148[.]80	AVAHOHST (MD)	Backup C2	LIVE
`communicationfirewall-security[.]cc`	Unknown	82[.]29[.]128[.]113	Hosteons (GB)	Primary C2 (March 12)	LIVE
`favourite-guide[.]cc`	2026-02-11	94[.]26[.]106[.]134	DF-TRANSIT (DE)	Secondary C2 (new)	LIVE
`indeanapolice[.]cc`	2025-12-22	94[.]183[.]233[.]21	AS56971 (HK/AE)	C2/beacon (new)	LIVE
`explorer[.]vg`	2026-02-28	45[.]156[.]23[.]185	AS56971 (HK/RU)	Tracking beacon (new)	LIVE

Expanded Delivery Domains (March 11 Investigation)

The March 11 investigation uncovered a much larger delivery infrastructure beyond the core C2 panel domains. These domains were found through DNS pivoting, ThreatFox correlation, and adjacent IP scanning:

Domain	IP	Purpose
`s1-rarlab[.]com`	85[.]121[.]148[.]80	RARLab impersonation
`s3-python[.]cc`	85[.]121[.]148[.]80	Python impersonation
`py-installer[.]cc`	85[.]121[.]148[.]80	Python installer lure
`node2-py-store[.]com`	85[.]121[.]148[.]80	Python/Node lure
`updateservice1-telegramweb[.]com`	85[.]121[.]148[.]80	Telegram impersonation
`magnusworkspace[.]com`	85[.]121[.]148[.]80	Generic business lure
`forest-entity[.]cc`	78[.]128[.]114[.]182	C2/delivery
`debank-api[.]cc`	N/A	DeFi/DeBank impersonation

All eight domains on 85[.]121[.]148[.]80 (AlexHost, Moldova) reveal the operator's brand impersonation strategy: CCleaner, RARLab, Python, Telegram, Web3/DeFi, and generic business tools. The target audience is developers and crypto users -- people likely to have both wallet extensions and domain-joined workstations.

Numbered C2 Domain Series

The March 11 investigation also revealed a pre-registered C2 domain rotation pool:

Series	Pattern	Confirmed Resolving	Purpose
alphazero-endscape[.]cc	alphazero[1-10]-endscape[.]cc	N=1 -> 78[.]128[.]114[.]182	Dormant C2 pool
api-microservice-us[.]com	api-microservice-us[1-10][.]com	N=1 -> 78[.]128[.]114[.]182	Dormant C2 pool
globalsnn-new[.]cc	globalsnn[1-10]-new[.]cc	N=1-3 -> 78[.]128[.]114[.]182	Dormant C2 pool

That is 32 pre-registered domains on a single Bulgarian bulletproof hosting IP (Tamatiya EOOD / 4vendeta), with only a handful currently active. This is infrastructure in reserve -- ready to be activated when current domains are burned.

Hosting Provider Map

Provider	ASN	Country	IPs Used	Reputation
AS56971 (Cloud, HK)	56971	HK	3 IPs	Hong Kong cloud, IPs geolocate to AE/RU/HK
Hosteons	142036	SG	2 IPs	Singapore VPS
AVAHOHST (AlexHost)	48753	MD	1 IP	Known bulletproof hosting
DF-TRANSIT	215607	DE	1 IP	German transit provider
Tamatiya/4vendeta	--	BG	1 IP	Bulgarian bulletproof hosting
PFCLOUD	51396	DE	1 IP (decommissioned)	Known bulletproof hosting
Hetzner	24940	DE	1 IP	Legitimate hosting (beacon only)
Newserverlife	49791	PL	1 IP	Warsaw VPS (payload staging)

The geographic spread is deliberate. No single takedown request to a single hosting provider or law enforcement jurisdiction can disable the entire operation. The concentration on AS56971 (3 IPs) is the closest thing to a single point of failure.

Cloudflare Account Discipline

Every CountLoader domain uses a unique Cloudflare NS pair:

Domain	NS Pair
`ccleaner[.]gl`	gordon / wren
`web3-walletnotify[.]cc`	alice / venkat
`bigbrainsholdings[.]com`	camilo / deborah
`communicationfirewall-security[.]cc`	candy / chip
`favourite-guide[.]cc`	nelly / quentin
`indeanapolice[.]cc`	aitana / kobe
`explorer[.]vg`	deb / guss

Seven domains, seven Cloudflare accounts. This is deliberate compartmentalization to prevent NS-pair pivoting -- a technique where shared NS pairs reveal domains under the same Cloudflare free account. The operator knows this technique and has invested the effort to defeat it. This is above-average OPSEC for a cybercrime operation.

OPSEC Failures That Persist

Despite the infrastructure discipline, the operator continues to leave fingerprints:

The CLSID that won't change: {0830A3F8-70B8-40E1-A0F3-E0EC9092F861} appears in every sample across all four days. It is a builder artifact that requires a template change to rotate. Until that happens, it is a perfect YARA anchor.
"indeanapolice" -- still misspelled: The domain indeanapolice[.]cc was registered in December 2025. Three months later, the typo remains. This confirms a non-native English speaker and suggests the operator does not proofread domain names (or does not care).
Cyrillic anti-sandbox string: The locale check for СИСТЕМА (Russian for "SYSTEM") is a language artifact. Combined with the CIS-region exclusion behavior, this places the operator in the Russian-speaking ecosystem with MEDIUM-HIGH confidence.
PDB path D:\Panel\Files\: Exposed in the March 8 investigation and still present in the panel architecture. This reveals a Windows development environment with a dedicated panel drive.
Consistent file size range: All 28 new samples fall within the 111-127 KB range. This is a builder signature that enables size-based heuristic detection.
AS56971 concentration: Three of the operator's current IPs are on the same Hong Kong ASN. If AS56971 receives a coordinated abuse complaint, three nodes go down simultaneously.
Module hashes unchanged: The AD, wallets, extensions, and config modules have the same MD5 hashes as March 8. The operator has not updated the server-side payload codebase in four days despite our public reporting.

Threat Actor Assessment

Classification: Cybercrime -- Malware-as-a-Service (MaaS) or dedicated operator

Language: Russian-speaking (Cyrillic strings, CIS exclusion, Eastern European hosting preferences)

Confidence: MEDIUM-HIGH (upgraded from MEDIUM based on accumulating evidence)

Sophistication: HIGH for infrastructure management (rapid rotation, Cloudflare compartmentalization, multi-ASN distribution, pre-staged dormant domains). MEDIUM for payload development (builder produces functional polymorphism but stable fingerprints like CLSID and module hashes betray a rigid template architecture).

Operational tempo: The operator is pushing new samples daily, rotating IPs within 48-72 hours of public reporting, and iterating the wire protocol between batches. This is an actively managed campaign, not a set-and-forget deployment.

Dual-use design: The combination of consumer crypto wallet theft (76 extensions) with enterprise AD reconnaissance (Domain Admin enumeration, forest mapping) remains the most tactically significant aspect of CountLoader. A single infection on a domain-joined workstation yields both immediate crypto wallet theft and a complete map of the corporate Active Directory that can be sold to ransomware operators or used for deeper intrusion.

Updated IOCs

C2 Domains (all defanged)

ccleaner[.]gl
web3-walletnotify[.]cc
bigbrainsholdings[.]com
communicationfirewall-security[.]cc
favourite-guide[.]cc
indeanapolice[.]cc

Tracking Beacons

explorer[.]vg
burning-edge[.]sbs

Delivery/Impersonation Domains

s1-rarlab[.]com
s3-python[.]cc
py-installer[.]cc
node2-py-store[.]com
updateservice1-telegramweb[.]com
web3-walletnotify[.]cc
magnusworkspace[.]com
debank-api[.]cc
forest-entity[.]cc

Dormant C2 Pool

alphazero-endscape[.]cc (and alphazero[1-10]-endscape[.]cc)
api-microservice-us[1-10][.]com
globalsnn-new[.]cc (and globalsnn[1-10]-new[.]cc)
critical-service[.]cc
immortal-service[.]cc
fileless-market[.]cc

Active C2 IPs (as of March 12)

82[.]29[.]128[.]113     communicationfirewall-security[.]cc (Hosteons, GB)
94[.]26[.]106[.]134     favourite-guide[.]cc (DF-TRANSIT, DE)
94[.]183[.]233[.]21     indeanapolice[.]cc (AS56971, AE)
45[.]156[.]23[.]185     explorer[.]vg (AS56971, RU)
178[.]255[.]222[.]234   ccleaner[.]gl (AS56971, HK)
85[.]121[.]148[.]80     web3/bigbrains (AVAHOHST, MD)
78[.]128[.]114[.]182    forest-entity/alphazero/globalsnn (Tamatiya, BG)

Decommissioned IPs (block but deprioritize)

192[.]109[.]200[.]130   ccleaner[.]gl previous (PFCLOUD, DE)
82[.]29[.]72[.]214      web3/bigbrains previous (Hosteons, SG)
65[.]21[.]174[.]205     burning-edge[.]sbs (Hetzner, DE)
45[.]43[.]137[.]82      task payload server (Newserverlife, PL)

March 12 Sample Hashes

SHA256: ddfb69cce3a4e3901398cb267fcd18b4a7f9fa61ddcbafdb176461fee0a67b07  Meeting_X_Images_948.7z
SHA256: 136ee1884b2fd403b4eee50b878d4fa17b1cfc75e01fcf688bfe38a1a881079a  Release_Office__72.jpeg
SHA256: 831886b320ec701c920b160998fd688ce455ac377bd217a25f8142d2722c2f64  Dataset_Old_v7.1.mp4

March 11 Sample Hashes (25 polyglot HTAs)

SHA256: e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84  Summer_Data_Primary_44.rar
SHA256: d0ebabd416f5311be2e7310fc9bcc68f34d5a9ce5d0c504bb3ca1256dbb3ea6c  Quantum_Session_Winter_9936.pptx
SHA256: 4f21bd260143a5d3da5609ff733a5e9ba5c4f5a92838aa2fcf15da67294f6d48  Report_Draft_v5.3.wav
SHA256: 09dca286514968e1099159d630118b6309e87d71c4ec03f743eb9f75ee4672ed  Video_Home__93.txt
SHA256: 0ada96fe01fb58d986ec32056522e32aa04afe63e4c9ad6fc821319374864c95  Global_Project_Release_6060.jpeg
SHA256: db469e31109bd531129316c72680b9c30a6bf429480d2508b4ae416db2fbbca1  External_Notes_Monthly_3626.txt
SHA256: 7c7f0a3d44309546c1d6c42d7cdc60956bf3ff18f9e9ab41752a19526364942b  User_Archive_Raw_3885.xlsx
SHA256: d44e68bd7c91e0bd1870cfd227f25e0a92a5a85e181c861162c9cc7c0a3af65d  Quantum_Project_Canada_9531.json
SHA256: 4f92cd7523c47140107c05570cbd97ba82ff626d8b60c9832ca0a68d66760b62  Finance_Gamma_Config_487.webp
SHA256: e867b6eab9ca3475cbed6f14d3eaab2ce742b22e7390c62c1185024aca62e11f  Travel_X_Config_917.wav
SHA256: 084dbd5563fb9b83793957c0ee176d38b1129987eeb5f922f27606f52c0c8be4  Europe_Dataset_Final_334.ini
SHA256: 31ee0d6b90096506ef3d336531903cdb8688a05086dd70b2c4e580b62181ddb3  Sales_Core_Data_518.csv
SHA256: 4c44bd2ce55eb22ff1dbe90e47282cc6cbb7c2697d6210630559448af7ebe14d  Photos_Daily_v3.0.xml
SHA256: b959663a61d0725bcd0213e3a66a44505f7c51d1595e4070c93778ef22c9db36  Omega_Data_NewYork_2087.xml
SHA256: 4b044b4e9eec63f249e5e8fa4276948cf8002fff4d67b9c80532c7500694fd03  Meeting_Photos_Temp_6194.mp4
SHA256: 3297233d82b04a04e11cc2fd8552d462438041d42fd8c74af242452b20866299  User_Fusion_Images_997.cfg
SHA256: 1b9115b928239d2adea06d84ba8ed34c5ab1ba9ee68893b49dd2cecdf5711ca1  Archive_Draft_v3.6.pptx
SHA256: 06a3c6c95e739430812dddcdf09d93dcc3368bbd583cad0e0d6cd3428a2ae43e  Invoice_Beta_v4.8.jpg
SHA256: 47fe8a5fcf2748d0bc948f6bac6cc480999052df75a8d954d371a9a22ec76607  Journal_Raw_v2.9.webp
SHA256: a00975ac089397ba5665254fef1bdb5e4fead543004da380230799fbea93ff75  Delta_Dataset_Holiday_2082.bak
SHA256: a54bc8b924efa6160814d0d2cca4b33204709e1b9d64f57362ca30c9c1e17c9b  Delta_Journal_Moscow_6150.ini
SHA256: 0d24a35bc17cf1c3f374c20acd4a72a588d38456b816ac2a8f8fb669df1f4cbe  NewYork_Release_Temp_153.docx
SHA256: 846380ab52cc2fc432352c299742e0bd110770779a48db48c4e0765a1290e5a4  Design_Quantum_Video_584.docx
SHA256: 0b7aaef18f064093bcc3bda8c92173ee96141e7bee8c91240264c881f6f251ea  Fusion_Document_Europe_6517.bin
SHA256: 40e61e8070a58aeae224e5aded63b7f2c8ff25340f611b23585ee5c33b4a433a  Nova_Data_NewYork_5969.xml
SHA256: d763d05ff9cfd1302282289ba407a81088e09051dfbe66dcedd6372442fac4e5  Work_Backup_Clean_4396.pdf

Campaign Fingerprint (Stable Indicators)

CLSID:    {0830A3F8-70B8-40E1-A0F3-E0EC9092F861}
Version:  4.1.1
JWT aud:  MyServerAudit
Sched:    PT30M interval, P760D duration
PDB:      D:\Panel\Files\

Module Hashes (MD5, unchanged since March 8)

c8bac7421d041559dc4a6709325b492d  ad (Active Directory recon)
cadfe68d6c103aacce0f451cad2b8e52  wallets (crypto wallet extraction)
c757ae3ee19bb09793a752500b6dbf68  extensions (browser extension harvesting)
b4c7ea651fc9f20131fe35ff25e0f8f6  config (system configuration profiling)

Detection Updates

What to Add to Your Blocklists

If you implemented our March 8 and March 9 IOCs, add these:

New domains (not in prior reports):

favourite-guide[.]cc
indeanapolice[.]cc
explorer[.]vg
s1-rarlab[.]com
s3-python[.]cc
py-installer[.]cc
node2-py-store[.]com
updateservice1-telegramweb[.]com
magnusworkspace[.]com
forest-entity[.]cc
All 32 dormant domains in the alphazero, api-microservice-us, and globalsnn series

New IPs (not in prior reports):

94[.]26[.]106[.]134
94[.]183[.]233[.]21
45[.]156[.]23[.]185
82[.]29[.]128[.]113
178[.]255[.]222[.]234
85[.]121[.]148[.]80
78[.]128[.]114[.]182

YARA Rule (Updated for v4.1.1)

rule CountLoader_Campaign_March2026 {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-12"
        description = "Detects CountLoader v4.x HTML smuggling and HTA payloads across all March 2026 campaign waves"
        tlp = "WHITE"
        reference = "https://intel.breakglass.tech"

    strings:
        // Stable CLSID across all builds
        $clsid = "0830A3F8-70B8-40E1-A0F3-E0EC9092F861" ascii wide

        // C2 protocol endpoint
        $connect = "connect?hwid=" ascii wide

        // Task type handler
        $task_switch = /case\s+5:[\s\S]{1,200}case\s+9:[\s\S]{1,200}case\s+11:/ ascii

        // Persistence indicators
        $sched_interval = "PT30M" ascii wide
        $sched_duration = "P760D" ascii wide
        $sched_service = "Schedule.Service" ascii wide

        // AD module trigger
        $wmi_ntdomain = "Win32_NTDomain" ascii wide

        // Anti-sandbox: Cyrillic SYSTEM
        $sandbox_cyrillic = { D0 A1 D0 98 D0 A1 D0 A2 D0 95 D0 9C D0 90 }

        // Known auth keys (rotate frequently but catch recent builds)
        $key1 = "LDXXE49D053MVPQM5MS3" ascii
        $key2 = "733EI487XG0G6RV9ZY6F" ascii
        $key3 = "0J86JU1J4RIUBNLJ2BF5" ascii
        $key4 = "24Q4FVZNSU1R0KZE2WU4" ascii
        $key5 = "PUT1OBY1D6JH1GF5I9N4" ascii

    condition:
        filesize < 200KB and
        (
            $clsid or
            (any of ($key*)) or
            ($connect and $task_switch) or
            ($sched_interval and $sched_duration and $sched_service) or
            ($connect and $wmi_ntdomain and $sched_service)
        )
}

Suricata Rules (New Domains)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader C2 DNS (favourite-guide.cc)";
    dns.query; content:"favourite-guide.cc"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000110; rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader C2 DNS (indeanapolice.cc)";
    dns.query; content:"indeanapolice.cc"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000111; rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader Beacon DNS (explorer.vg)";
    dns.query; content:"explorer.vg"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000112; rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader C2 DNS (communicationfirewall-security.cc)";
    dns.query; content:"communicationfirewall-security.cc"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000113; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - CountLoader C2 POST with text/plain body (protocol signature)";
    flow:established,to_server;
    http.method; content:"POST";
    http.content_type; content:"text/plain";
    http.host; pcre:"/(communicationfirewall-security|favourite-guide|indeanapolice)\.(cc)/";
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000114; rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader Delivery Domain (s1-rarlab.com)";
    dns.query; content:"s1-rarlab.com"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000115; rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"BGI - CountLoader Delivery Domain (py-installer.cc)";
    dns.query; content:"py-installer.cc"; nocase;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000116; rev:1;
)

Endpoint Hunting Queries

If you are running an EDR, these are the highest-value hunts for CountLoader activity:

MSHTA with external URL: Any mshta.exe process where the command line contains http or https -- CountLoader's primary execution vector
Scheduled task with PT30M + P760D: The persistence fingerprint. Query scheduled task creation events for this specific interval/duration combination
WMI AD enumeration burst: Win32_NTDomain + Win32_GroupUser + Win32_Account queries within a 60-second window from a non-admin tool
CLSID in file content: Scan downloaded files for 0830A3F8-70B8-40E1-A0F3-E0EC9092F861
MIME/extension mismatch: Files with extensions .rar, .pptx, .wav, .mp4, .7z, .jpeg that have text/html content type

What to Expect Next

Based on four days of tracking, the operator's pattern is predictable:

IP rotation every 48-72 hours on domains that receive public reporting
New samples daily, 3-8 per batch, with randomized filenames and per-sample XOR/auth keys
New C2 domains activated from the dormant pool as current domains are burned (watch the alphazero, api-microservice-us, and globalsnn series)
Protocol iteration -- the UTF-16LE removal in v4.1.1 suggests the developer is actively refactoring. Expect further encoding changes
The CLSID will eventually change -- it is the operator's most exposed fingerprint, and if they read public reporting (and the IP rotation suggests they do), this is the next thing to rotate

We will continue tracking this campaign and publish updates as the infrastructure evolves.

MITRE ATT&CK Summary

Tactic	Techniques
Initial Access	T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1189 (Drive-by Compromise)
Execution	T1218.005 (MSHTA), T1059.001 (PowerShell), T1059.005 (VBScript), T1059.007 (JavaScript), T1204.002 (Malicious File)
Persistence	T1053.005 (Scheduled Task), T1547.001 (Registry Run Key)
Defense Evasion	T1027 (Obfuscated Files), T1027.006 (HTML Smuggling), T1036.005 (Match Legitimate Name), T1497.001 (System Checks), T1140 (Deobfuscate/Decode), T1197 (BITS Jobs)
Credential Access	T1555.003 (Credentials from Web Browsers)
Discovery	T1082 (System Information), T1087.002 (Domain Account), T1069.002 (Domain Groups), T1018 (Remote System), T1482 (Domain Trust)
Collection	T1005 (Data from Local System)
Lateral Movement	T1091 (Replication Through Removable Media)
Command and Control	T1071.001 (Web Protocols), T1568 (Dynamic Resolution)
Exfiltration	T1041 (Exfiltration Over C2 Channel)

This is the third Breakglass Intelligence report on CountLoader. Prior reports: CountLoader: Inside a Fake CCleaner Installer (March 8) and CountLoader Unmasked: 6 Polyglot HTA Files, 76 Crypto Wallets (March 9). We are tracking this campaign continuously and will publish further updates as the infrastructure evolves.

Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.