← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Sinkholing CountLoader: Insights into Its Recent Campaign
WHITE celestre 2026-05-20 Modified: 2026-05-20
51
IOCs
HIGH VOLUME
McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.
ps urlurls httpscountloader c2domainsc2 https
Indicators of Compromise (51)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
URL https://edr-security-bucket1.cc/ 2026-05-20
FileHash-MD5 6b38e832e24420ca94da2c3570c59871 MD5 of 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a 2026-05-20
FileHash-SHA1 078ec2c1e9e95c3a3dbb0316f1a4ad601ca8e330 SHA1 of 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a 2026-05-20
FileHash-SHA256 05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de 2026-05-20
FileHash-SHA256 0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf 2026-05-20
FileHash-SHA256 10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf 2026-05-20
FileHash-SHA256 27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d 2026-05-20
FileHash-SHA256 2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068 2026-05-20
FileHash-SHA256 30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9 2026-05-20
FileHash-SHA256 3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc 2026-05-20
FileHash-SHA256 42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3 2026-05-20
FileHash-SHA256 44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73 2026-05-20
FileHash-SHA256 44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e 2026-05-20
FileHash-SHA256 4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7 2026-05-20
FileHash-SHA256 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a 2026-05-20
FileHash-SHA256 9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d 2026-05-20
FileHash-SHA256 c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796 2026-05-20
FileHash-SHA256 cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca 2026-05-20
FileHash-SHA256 dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe 2026-05-20
FileHash-SHA256 dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b 2026-05-20
FileHash-SHA256 e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63 2026-05-20
FileHash-SHA256 e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540 2026-05-20
URL https://hardware-office.cc/foundation.halflife 2026-05-20
URL https://hell1-kitty.cc/gamecenter.fileManager 2026-05-20
URL https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8 2026-05-20
URL https://memory-scanner.cc/ 2026-05-20
URL https://memory-scanner.cc/Presentation.pdf 2026-05-20
domain alphazero1-endscape.cc 2026-05-20
domain api-microservice-us1.com 2026-05-20
domain bucket-aws-s1.com 2026-05-20
domain bucket-aws-s2.com 2026-05-20
domain edr-security-bucket1.cc 2026-05-20
domain fileless-storage-s3.cc 2026-05-20
domain globalsnn1-new.cc 2026-05-20
domain globalsnn2-new.cc 2026-05-20
domain globalsnn3-new.cc 2026-05-20
domain handle-me-sv1.com 2026-05-20
domain hardware-office.cc 2026-05-20
domain health-smooth-eu1.com 2026-05-20
domain health-smooth-eu2.com 2026-05-20
domain health-smooth-eu3.com 2026-05-20
domain hell1-kitty.cc 2026-05-20
domain holiday-updateservice.com 2026-05-20
domain memory-protection-layer1.cc 2026-05-20
domain memory-protection-layer2.cc 2026-05-20
domain memory-scanner.cc 2026-05-20
domain microservice-update-s1-bucket.cc 2026-05-20
domain microservice-update-s2-bucket.cc 2026-05-20
domain my-smart-house1.com 2026-05-20
domain polystore9-servicebucket.cc 2026-05-20
domain s3-updatehub.cc 2026-05-20
References (1)
↗ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/