highPhishing
CountLoader HTML Smuggling Campaign — Breakglass Intelligence Report
PublishedMarch 13, 2026
Threat Actors:ProfileAssessmentOperational Patterns
phishingvidarcountloaderlummasocial-engineeringc2ransomwaremalware-analysisspearphishing
TLP: WHITE
Date: 2026-03-11
Analyst: GHOST (Breakglass Intelligence)
Classification: Cybercrime — Loader/Dropper Distribution
Investigation Slug: summer-data-rar-march11
Executive Summary
A sample named Summer_Data_Primary_44.rar (SHA256: e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84) submitted to MalwareBazaar on 2026-03-11 was identified as an active CountLoader HTML Application (HTA) payload disguised with a .rar file extension. The file is delivered via the typosquatting domain ccleaner[.]gl, impersonating the legitimate CCleaner software. This investigation uncovered a sprawling CountLoader campaign operating across 49+ domains, 6+ IP addresses spanning Moldova, Netherlands, Bulgaria, Germany, and Iran, with at least 25 unique samples observed in the last 72 hours alone. The campaign uses automated filename generation with randomized lure names and diverse file extensions (.rar, .pptx, .wav, .txt, .jpeg, .csv, .xml, .docx, .bin, .cfg, .webp, .mp4, .json, .ini, .jpg, .pdf, .xlsx, .bak) to evade detection, all containing identical HTA payloads that execute via mshta.exe. The infrastructure shows characteristics of a well-resourced cybercrime operation with bulletproof hosting in Moldova (AlexHost) and Bulgaria (Tamatiya EOOD/4vendeta).
Key Findings
- HTML Smuggling via HTA: File is text/html (HTA) disguised as
.rar-- triggersmshta.exeexecution with full system privileges - Typosquatting: Delivery domain
ccleaner[.]glimpersonates the legitimate CCleaner software (ccleaner.com), registered 2026-03-03 via NiceNIC (Chinese registrar) - Campaign Scale: 25+ unique HTA samples with randomized filenames identified in 72 hours (March 9-11, 2026)
- 49+ domains in the CountLoader infrastructure, including numbered C2 domain series (alphazero[1-10]-endscape[.]cc, api-microservice-us[1-10][.]com, globalsnn[1-10]-new[.]cc)
- 6 confirmed C2/delivery IPs: 85[.]121[.]148[.]80 (AlexHost, Moldova), 78[.]128[.]114[.]182 (Tamatiya/4vendeta, Bulgaria), 178[.]255[.]222[.]234 (CloudBackbone, Estonia/NL), 65[.]21[.]174[.]205 (Hetzner, link-host.net), 194[.]76[.]226[.]162 (Servinga, Germany), 45[.]156[.]87[.]31 (RIPE/NL)
- Brand Impersonation Themes: CCleaner (ccleaner[.]gl), RARLab (s1-rarlab[.]com), Python (s3-python[.]cc, py-installer[.]cc), Telegram (updateservice1-telegramweb[.]com), Web3/DeFi (web3-walletnotify[.]cc, debank-api[.]cc)
- YARA Detection: Two community YARA rules match:
CP_Script_Inject_Detector(code injection) andSus_CMD_Powershell_Usage(obfuscated PowerShell/CMD) - Blacklisted: Spamhaus DBL (malware_domain), SURBL (listed), Spamhaus HBL (suspicious)
- No VirusTotal detections at time of analysis -- 0/0 detection rate, indicating brand-new campaign evasion
What Was Found vs. What Was Known
| Aspect | Prior Public Reporting | Our Findings |
|---|---|---|
| Infrastructure | ccleaner[.]gl + burning-edge[.]sbs (URLhaus) | 49+ domains across 5+ hosting providers, 6+ C2 IPs |
| Samples | 1 untagged sample on MalwareBazaar | 25+ tagged CountLoader samples, all HTA disguised |
| C2 Servers | 2 C2 IP:port entries on ThreatFox | 6 confirmed IPs, numbered domain rotation scheme |
| Attribution | None | Bulletproof hosting in Moldova (AlexHost) + Bulgaria (4vendeta), Chinese registrar |
| Naming Pattern | Not documented | Automated [Word]_[Word]_[Word]_[Number].[ext] lure generator |
| Campaign Timeline | March 2026 | Active since at least Feb 22, 2026; older infra (burning-edge.sbs) since Nov 2025 |
Attack Chain
[1] SEO Poisoning / Malvertising / Social Engineering
|
[2] Victim visits typosquat domain (e.g., ccleaner[.]gl)
|
[3] Browser downloads HTA file with deceptive extension (.rar, .pptx, .wav, etc.)
|
[4] Victim double-clicks file -> Windows associates .rar/.pptx -> handler fails
OR
[4a] File saved as .hta -> mshta.exe executes with full privileges (T1218.005)
|
[5] HTA contains obfuscated JavaScript/VBScript
|
[6] PowerShell/CMD commands execute (identified by YARA)
|
[7] Second-stage payload downloaded from C2 infrastructure
|
[8] CountLoader establishes persistence + C2 beacon
|
[9] Follow-on payload delivery (info-stealer, RAT, ransomware)
Infrastructure Analysis
Network Infrastructure
| IP | ASN/Provider | Country | Ports | Services | Role | Status |
|---|---|---|---|---|---|---|
| 85[.]121[.]148[.]80 | AlexHost SRL (CLOUDATAMD-MNT) | MD (Moldova) | Unknown | Unknown | Primary delivery (8+ domains) | LIVE |
| 78[.]128[.]114[.]182 | Tamatiya EOOD / 4vendeta | BG (Bulgaria) | 22, 80, 443 | Nginx, OpenSSH 8.2p1, Ubuntu | C2 (alphazero, globalsnn series) | LIVE |
| 178[.]255[.]222[.]234 | AS56971 / CloudBackbone | NL/EE (Estonia) | 22 | OpenSSH 8.4p1, Debian | ccleaner[.]gl delivery | LIVE |
| 65[.]21[.]174[.]205 | Hetzner / link-host.net | DE (Germany) | 21,22,53,80,110,143,443,465,587,993,995,1500,2083,3306 | Nginx 1.26.3, MySQL 8.0.41, Exim 4.98.2, PHP 8.0.30 | burning-edge[.]sbs hosting | LIVE |
| 194[.]76[.]226[.]162 | Servinga GmbH | DE (Germany) | Unknown | Unknown | C2 (port 7673) | LIVE |
| 45[.]156[.]87[.]31 | RIPE NCC region | NL | 80, 3389 | Nginx 1.24.0, RDP | C2 (port 443) | LIVE |
Domain Infrastructure — Delivery Domains
| Domain | Registrar | Created | IP | Purpose | Status |
|---|---|---|---|---|---|
| ccleaner[.]gl | NiceNIC International | 2026-03-03 | 178[.]255[.]222[.]234 | CCleaner typosquat delivery | LIVE |
| burning-edge[.]sbs | Unknown | Pre-2025-11 | 65[.]21[.]174[.]205 | Delivery | LIVE |
| s1-rarlab[.]com | Unknown | Unknown | 85[.]121[.]148[.]80 | RARLab impersonation | LIVE |
| s3-python[.]cc | Unknown | Unknown | 85[.]121[.]148[.]80 | Python impersonation | LIVE |
| py-installer[.]cc | Unknown | Unknown | 85[.]121[.]148[.]80 | Python installer impersonation | LIVE |
| node2-py-store[.]com | Unknown | Unknown | 85[.]121[.]148[.]80 | Python/Node impersonation | LIVE |
| updateservice1-telegramweb[.]com | Unknown | Unknown | 85[.]121[.]148[.]80 | Telegram impersonation | LIVE |
| web3-walletnotify[.]cc | Unknown | Unknown | 85[.]121[.]148[.]80 | Web3/DeFi impersonation | LIVE |
| magnusworkspace[.]com | Unknown | Unknown | 85[.]121[.]148[.]80 | Generic lure | LIVE |
| bigbrainsholdings[.]com | Unknown | Unknown | 85[.]121[.]148[.]80 | Generic lure | LIVE |
| debank-api[.]cc | Unknown | Unknown | N/A | DeFi/DeBank impersonation | OFFLINE |
| forest-entity[.]cc | Unknown | Unknown | 78[.]128[.]114[.]182 | C2/Delivery | LIVE |
Domain Infrastructure — C2 Domains (Numbered Series)
| Domain Series | Active IPs | Count | Purpose |
|---|---|---|---|
| alphazero[N]-endscape[.]cc (N=1-10) | 78[.]128[.]114[.]182 (N=1) | 11 domains | C2 rotation pool |
| api-microservice-us[N][.]com (N=1-10) | 78[.]128[.]114[.]182 (N=1) | 10 domains | C2 rotation pool |
| globalsnn[N]-new[.]cc (N=1-10) | 78[.]128[.]114[.]182 (N=1-3) | 11 domains | C2 rotation pool |
| critical-service[.]cc | N/A | 1 domain | C2 (offline) |
| immortal-service[.]cc | 45[.]153[.]34[.]55 | 1 domain | C2 |
| fileless-market[.]cc | 94[.]26[.]106[.]112 | 1 domain | C2 |
| indeanapolice[.]cc | 94[.]183[.]233[.]21 | 1 domain | C2 (misspelled "Indianapolis") |
Certificate Analysis
ccleaner[.]gl Certificates:
- Sectigo DV wildcard cert issued 2026-03-03 (serial:
00f9da74f4d6b769bf104e0afe1c3376dc) -- covers*.ccleaner[.]gl - Let's Encrypt E8 wildcard cert issued 2026-03-03 (serial:
063d130930bee27268fa29136fc012ec5a6d) - Let's Encrypt E8 cert renewed 2026-03-11 (serial:
068615d2dad25998f654eb5a53c228f695be) -- domain-only, no wildcard - Both Sectigo AND Let's Encrypt certificates obtained simultaneously on registration day -- indicates automated certificate provisioning
- Certificate renewal on 2026-03-11 suggests infrastructure rotation or reconfiguration
burning-edge[.]sbs Certificates:
- Let's Encrypt R12/R13 certificates dating back to 2025-11-11 -- older infrastructure component
- Most recent renewal: 2026-03-11 -- still actively maintained
Hosting Analysis
| Provider | IPs | Country | Reputation |
|---|---|---|---|
| AlexHost SRL (CLOUDATAMD-MNT) | 85[.]121[.]148[.]80 | Moldova | Known bulletproof hoster, frequently appears in malware campaigns |
| Tamatiya EOOD / 4vendeta (TAMATYA-MNT) | 78[.]128[.]114[.]182 | Bulgaria | Bulletproof hosting, abuse-resistant |
| CloudBackbone (AS56971) | 178[.]255[.]222[.]234 | Estonia/Netherlands | Offshore hosting |
| Hetzner / link-host[.]net | 65[.]21[.]174[.]205 | Germany | Shared hosting reseller |
| Servinga GmbH | 194[.]76[.]226[.]162 | Germany | Hosting provider |
Malware Analysis
Sample Details
| Field | Value |
|---|---|
| Filename | Summer_Data_Primary_44.rar |
| SHA256 | e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84 |
| SHA1 | 864c8e5c8b35259b3c1bba92b3cd082c53179105 |
| MD5 | 97d7e925fa706e94e74986ca116baa53 |
| TLSH | T1E3B3019D098E8CE9CB1F2028551F5D0B998EA3130B1DC9907BDFBE553F22CB571AA9D0 |
| SSDeep | 1536:iAAx4vi7h/VNAOAV1uhy8iSPJ8rfznbj79ubTF3F:+DU1u2znbjxubTb |
| File Size | 114,641 bytes |
| MIME Type | text/html |
| Magika Detection | html |
| URLhaus Type | hta |
| Signature | CountLoader (not tagged on sample, confirmed via URLhaus) |
| Delivery Method | web_download |
| Origin Country | DE (Germany) |
| First Seen | 2026-03-11 21:09:53 UTC |
| Downloads | 36 (at time of analysis) |
Filename Pattern Analysis
The campaign uses an automated filename generator following the pattern: [Word1]_[Word2]_[Word3]_[Number].[Extension]
Word Pool (observed): Summer, Data, Primary, Quantum, Session, Winter, Report, Draft, Video, Home, Global, Project, Release, Finance, Gamma, Config, External, Notes, Monthly, User, Archive, Raw, Photos, Daily, Omega, NewYork, Meeting, Temp, Fusion, Images, Travel, Europe, Dataset, Final, Sales, Core, Invoice, Beta, Journal, Delta, Holiday, Moscow, Nova, Design, Work, Backup, Clean
Extension Pool (observed): .rar, .pptx, .wav, .txt, .jpeg, .csv, .xml, .docx, .bin, .cfg, .webp, .mp4, .json, .ini, .jpg, .pdf, .xlsx, .bak
This randomization serves multiple purposes:
- Evade hash-based detection -- every sample has unique content
- Evade filename-based rules -- no consistent filename pattern
- Social engineering -- diverse filenames match diverse lure contexts
- Bypass email filters -- randomized names avoid pattern matching
Behavioral Indicators (from YARA matches)
- Code Injection (CP_Script_Inject_Detector): The HTA payload injects code into another process
- PowerShell/CMD Abuse (Sus_CMD_Powershell_Usage): Contains obfuscated PowerShell or CMD commands
- mshta.exe Execution: Confirmed by URLhaus
ua-mshtatag -- payload is designed to execute in the mshta.exe context
Vendor Intelligence
| Vendor | Assessment |
|---|---|
| Spamhaus HBL | Suspicious |
| Spamhaus DBL | malware_domain (ccleaner[.]gl) |
| SURBL | Listed (ccleaner[.]gl) |
| CERT-PL MWDB | Indexed |
| InQuest | No verdict |
| VirusTotal | 0/0 detections (NOT YET SCANNED -- brand new) |
Related Samples (25 CountLoader HTA samples, March 9-11 2026)
| SHA256 | Filename | Size | First Seen |
|---|---|---|---|
e27ff664... | Summer_Data_Primary_44.rar | 114,641 | 2026-03-11 21:09 |
d0ebabd4... | Quantum_Session_Winter_9936.pptx | 125,445 | 2026-03-11 08:25 |
4f21bd26... | Report_Draft_v5.3.wav | 111,758 | 2026-03-11 02:41 |
09dca286... | Video_Home__93.txt | 125,275 | 2026-03-10 21:38 |
0ada96fe... | Global_Project_Release_6060.jpeg | 127,112 | 2026-03-10 16:12 |
db469e31... | External_Notes_Monthly_3626.txt | 123,925 | 2026-03-10 15:42 |
7c7f0a3d... | User_Archive_Raw_3885.xlsx | 123,060 | 2026-03-10 15:29 |
d44e68bd... | Quantum_Project_Canada_9531.json | 125,125 | 2026-03-10 14:18 |
4f92cd75... | Finance_Gamma_Config_487.webp | 123,138 | 2026-03-10 09:31 |
e867b6ea... | Travel_X_Config_917.wav | 124,578 | 2026-03-09 21:30 |
084dbd55... | Europe_Dataset_Final_334.ini | 122,957 | 2026-03-09 21:18 |
31ee0d6b... | Sales_Core_Data_518.csv | 121,363 | 2026-03-09 21:14 |
4c44bd2c... | Photos_Daily_v3.0.xml | 124,394 | 2026-03-09 20:59 |
b959663a... | Omega_Data_NewYork_2087.xml | 125,104 | 2026-03-09 20:42 |
4b044b4e... | Meeting_Photos_Temp_6194.mp4 | 123,596 | 2026-03-09 20:34 |
3297233d... | User_Fusion_Images_997.cfg | 125,018 | 2026-03-09 20:15 |
1b9115b9... | Archive_Draft_v3.6.pptx | 123,058 | 2026-03-09 14:15 |
06a3c6c9... | Invoice_Beta_v4.8.jpg | 125,393 | 2026-03-09 08:03 |
47fe8a5f... | Journal_Raw_v2.9.webp | 126,059 | 2026-03-09 08:03 |
a00975ac... | Delta_Dataset_Holiday_2082.bak | 121,505 | 2026-03-09 08:03 |
a54bc8b9... | Delta_Journal_Moscow_6150.ini | 125,196 | 2026-03-09 08:03 |
0d24a35b... | NewYork_Release_Temp_153.docx | 123,306 | 2026-03-09 08:03 |
846380ab... | Design_Quantum_Video_584.docx | 124,612 | 2026-03-09 08:03 |
0b7aaef1... | Fusion_Document_Europe_6517.bin | 124,044 | 2026-03-09 08:03 |
40e61e80... | Nova_Data_NewYork_5969.xml | 125,254 | 2026-03-09 08:03 |
d763d05f... | Work_Backup_Clean_4396.pdf | 114,293 | 2026-03-09 07:42 |
Sample size range: 111,758 - 127,112 bytes (mean ~123 KB) -- consistent with templated HTA generation with variable padding/obfuscation.
Threat Actor Profile
Attribution Assessment
- Confidence: MEDIUM
- Country/Region: Eastern Europe (Moldova, Bulgaria) / possible Russian-speaking nexus
- Evidence:
- Primary hosting in Moldova (AlexHost) and Bulgaria (Tamatiya/4vendeta) -- both known for hosting cybercrime infrastructure
- Domain
indeanapolice[.]cccontains the misspelling "Indeanapolice" (Indianapolis) -- non-native English speaker - Domain
Delta_Journal_Moscow_6150.inifilename includes "Moscow" -- possible geographic reference - Chinese registrar (NiceNIC) used for ccleaner[.]gl -- common in Eastern European cybercrime for domain registration
- Numbered domain series pattern (alphazero[1-10], api-microservice-us[1-10], globalsnn[1-10]) indicates automated infrastructure generation -- characteristic of organized cybercrime operations
- Motivation: Financial (loader-as-a-service / pay-per-install model)
- Sophistication: MEDIUM-HIGH -- automated sample generation, multi-domain C2 rotation, brand impersonation, bulletproof hosting, but OPSEC failures in domain naming
Actor Operational Patterns
- Infrastructure Rotation: New domains activated in waves (Feb 22 -> Mar 1 -> Mar 7 -> Mar 9-11)
- C2 Resilience: Numbered domain series with only 1-3 active at any time -- remaining dormant as fallbacks
- Brand Diversity: Impersonates CCleaner, RARLab, Python, Telegram, Web3/DeFi platforms -- targets developer and crypto audiences
- Hosting Diversity: Distributes infrastructure across 5+ countries (MD, BG, NL, EE, DE)
- Sample Volume: 25+ samples in 72 hours suggests automated build pipeline
OPSEC Failures
- Misspelled domain:
indeanapolice[.]cc-- "Indeana" instead of "Indiana" - Moscow reference in filename: Geographic leak in auto-generated filenames
- Consistent file size range: 111-127 KB range across all samples enables size-based heuristic detection
- Shared IP hosting: 8+ domains on single IP (85[.]121[.]148[.]80) enables single-pivot mapping of full infrastructure
- All samples untagged on initial upload: Suggests automated MalwareBazaar submission pipeline or honeypot catch, not manual analysis
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | 49+ malicious domains registered |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | HTA payloads staged on delivery domains |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Links to typosquat domains distributed |
| Initial Access | Drive-by Compromise | T1189 | Typosquat domains serve malicious downloads |
| Execution | System Binary Proxy Execution: Mshta | T1218.005 | HTA payload executes via mshta.exe |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Obfuscated PowerShell in HTA payload |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | CMD commands in HTA payload |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | JavaScript embedded in HTA |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Files named .rar/.pptx/.wav to appear legitimate |
| Defense Evasion | Masquerading: Double File Extension | T1036.007 | HTML content with non-HTML extensions |
| Defense Evasion | Obfuscated Files or Information | T1027 | Obfuscated JavaScript/PowerShell |
| Defense Evasion | HTML Smuggling | T1027.006 | HTML file disguised as archive/document |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | C2 over HTTP/HTTPS |
| Command and Control | Dynamic Resolution: Domain Generation | T1568.002 | Numbered domain series for C2 rotation |
IOC Summary
Network Indicators — Delivery Domains (Defanged)
ccleaner[.]gl
burning-edge[.]sbs
s1-rarlab[.]com
s3-python[.]cc
py-installer[.]cc
node2-py-store[.]com
updateservice1-telegramweb[.]com
web3-walletnotify[.]cc
magnusworkspace[.]com
bigbrainsholdings[.]com
debank-api[.]cc
forest-entity[.]cc
Network Indicators — C2 Domains (Defanged)
alphazero[1-10]-endscape[.]cc
alphazero-endscape[.]cc
api-microservice-us[1-10][.]com
globalsnn[1-10]-new[.]cc
globalsnn-new[.]cc
critical-service[.]cc
immortal-service[.]cc
fileless-market[.]cc
indeanapolice[.]cc
Network Indicators — IP Addresses (Defanged)
85[.]121[.]148[.]80 (AlexHost, Moldova — primary delivery)
78[.]128[.]114[.]182 (Tamatiya/4vendeta, Bulgaria — C2)
178[.]255[.]222[.]234 (CloudBackbone, Estonia/NL — ccleaner[.]gl)
65[.]21[.]174[.]205 (Hetzner/link-host, Germany — burning-edge[.]sbs)
194[.]76[.]226[.]162:7673 (Servinga, Germany — C2)
45[.]156[.]87[.]31:443 (NL — C2)
45[.]153[.]34[.]55 (immortal-service[.]cc)
94[.]26[.]106[.]112 (fileless-market[.]cc)
94[.]183[.]233[.]21 (indeanapolice[.]cc)
File Indicators — Primary Sample
SHA256: e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84
SHA1: 864c8e5c8b35259b3c1bba92b3cd082c53179105
MD5: 97d7e925fa706e94e74986ca116baa53
TLSH: T1E3B3019D098E8CE9CB1F2028551F5D0B998EA3130B1DC9907BDFBE553F22CB571AA9D0
SSDeep: 1536:iAAx4vi7h/VNAOAV1uhy8iSPJ8rfznbj79ubTF3F:+DU1u2znbjxubTb
File Indicators — Related Samples (SHA256)
d0ebabd416f5311be2e7310fc9bcc68f34d5a9ce5d0c504bb3ca1256dbb3ea6c
4f21bd260143a5d3da5609ff733a5e9ba5c4f5a92838aa2fcf15da67294f6d48
09dca286514968e1099159d630118b6309e87d71c4ec03f743eb9f75ee4672ed
0ada96fe01fb58d986ec32056522e32aa04afe63e4c9ad6fc821319374864c95
db469e31109bd531129316c72680b9c30a6bf429480d2508b4ae416db2fbbca1
7c7f0a3d44309546c1d6c42d7cdc60956bf3ff18f9e9ab41752a19526364942b
d44e68bd7c91e0bd1870cfd227f25e0a92a5a85e181c861162c9cc7c0a3af65d
4f92cd7523c47140107c05570cbd97ba82ff626d8b60c9832ca0a68d66760b62
e867b6eab9ca3475cbed6f14d3eaab2ce742b22e7390c62c1185024aca62e11f
084dbd5563fb9b83793957c0ee176d38b1129987eeb5f922f27606f52c0c8be4
31ee0d6b90096506ef3d336531903cdb8688a05086dd70b2c4e580b62181ddb3
4c44bd2ce55eb22ff1dbe90e47282cc6cbb7c2697d6210630559448af7ebe14d
b959663a61d0725bcd0213e3a66a44505f7c51d1595e4070c93778ef22c9db36
4b044b4e9eec63f249e5e8fa4276948cf8002fff4d67b9c80532c7500694fd03
3297233d82b04a04e11cc2fd8552d462438041d42fd8c74af242452b20866299
1b9115b928239d2adea06d84ba8ed34c5ab1ba9ee68893b49dd2cecdf5711ca1
06a3c6c95e739430812dddcdf09d93dcc3368bbd583cad0e0d6cd3428a2ae43e
47fe8a5fcf2748d0bc948f6bac6cc480999052df75a8d954d371a9a22ec76607
a00975ac089397ba5665254fef1bdb5e4fead543004da380230799fbea93ff75
a54bc8b924efa6160814d0d2cca4b33204709e1b9d64f57362ca30c9c1e17c9b
0d24a35bc17cf1c3f374c20acd4a72a588d38456b816ac2a8f8fb669df1f4cbe
846380ab52cc2fc432352c299742e0bd110770779a48db48c4e0765a1290e5a4
0b7aaef18f064093bcc3bda8c92173ee96141e7bee8c91240264c881f6f251ea
40e61e8070a58aeae224e5aded63b7f2c8ff25340f611b23585ee5c33b4a433a
d763d05ff9cfd1302282289ba407a81088e09051dfbe66dcedd6372442fac4e5
TLS Certificate Serials
068615d2dad25998f654eb5a53c228f695be (LE E8, ccleaner[.]gl, 2026-03-11)
050108b42309c4c0f00e8e599febd1f188dd (LE E8, ccleaner[.]gl, 2026-03-03)
063d130930bee27268fa29136fc012ec5a6d (LE E8, *.ccleaner[.]gl, 2026-03-03)
00f9da74f4d6b769bf104e0afe1c3376dc (Sectigo DV, *.ccleaner[.]gl, 2026-03-03)
Recommended Actions
Immediate (24-48 hours)
- Block all IOC domains and IPs at perimeter firewalls, DNS sinkholes, and web proxies
- Add YARA rules (below) to endpoint detection platforms
- Deploy Suricata rules (below) on network sensors
- Search email logs for links to any CountLoader delivery domains
- Hunt for mshta.exe executions in EDR logs -- especially mshta.exe launching with network connections to the listed C2 IPs
- Search proxy/DNS logs for connections to any of the 49+ listed domains
- Alert SOC to monitor for
.rar,.pptx,.wavfiles withtext/htmlMIME type (Content-Type mismatch detection)
Short-term (1-2 weeks)
- Submit abuse reports to AlexHost (Moldova), Tamatiya/4vendeta (Bulgaria), and CloudBackbone (Estonia) for infrastructure takedown
- Report to NiceNIC registrar for ccleaner[.]gl domain suspension
- Report to CCleaner/Piriform brand protection team about typosquat domain
- Monitor CT logs for new certificates issued to CountLoader-associated domain patterns
- TLSH fuzzy matching across incoming samples to detect new CountLoader variants (threshold: distance < 150)
Medium-term (1-3 months)
- Implement MIME-type checking at email gateway and web proxy -- flag downloads where Content-Type does not match file extension
- Block .hta file execution via Group Policy or application control (most organizations never need mshta.exe)
- Deploy browser extension/policy to warn on
.gland.sbsTLDs (commonly abused) - Monitor MalwareBazaar and ThreatFox for new CountLoader submissions
- Investigate follow-on payloads -- CountLoader is a first-stage loader, determine what second-stage payloads are being deployed (likely info-stealers such as Lumma, Vidar, or RedLine)
Abuse Reports
AlexHost SRL (Moldova) — 85[.]121[.]148[.]80
To: abuse@alexhost.com
Subject: Active malware delivery infrastructure on 85.121.148.80
Dear AlexHost Abuse Team,
The IP address 85.121.148.80 in your network is hosting active CountLoader
malware delivery infrastructure. At least 8 domains resolving to this IP are
distributing malicious HTA files disguised as legitimate software downloads.
Domains: s1-rarlab.com, s3-python.cc, py-installer.cc, node2-py-store.com,
updateservice1-telegramweb.com, web3-walletnotify.cc, magnusworkspace.com,
bigbrainsholdings.com
Evidence: URLhaus (abuse.ch), ThreatFox IOCs, MalwareBazaar samples
Reference: https://urlhaus.abuse.ch/host/ccleaner.gl/
Please investigate and take appropriate action.
TELE Greenland / NiceNIC — ccleaner[.]gl
To: gl-admin@telepost.gl
Subject: Typosquatting/malware domain: ccleaner.gl
The domain ccleaner.gl (Registry Domain ID: D627609486-CNIC) registered
2026-03-03 is being used to distribute CountLoader malware by impersonating
the legitimate CCleaner software (ccleaner.com).
This domain is listed on Spamhaus DBL as malware_domain and on SURBL.
URLhaus reference: https://urlhaus.abuse.ch/url/3791619/
Please suspend this domain immediately.
References
- MalwareBazaar: hxxps://bazaar[.]abuse[.]ch/sample/e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84/
- URLhaus: hxxps://urlhaus[.]abuse[.]ch/url/3791619/
- URLhaus Host: hxxps://urlhaus[.]abuse[.]ch/host/ccleaner[.]gl/
- ThreatFox CountLoader IOCs: hxxps://threatfox[.]abuse[.]ch/browse/malware/win.count_loader/
- Malpedia: hxxps://malpedia[.]caad[.]fkie[.]fraunhofer[.]de/details/win.count_loader
- CERT-PL MWDB: hxxps://mwdb[.]cert[.]pl/sample/e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84/
- crt.sh ccleaner[.]gl: hxxps://crt[.]sh/?q=ccleaner.gl
GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."