Sinkholing CountLoader: Insights into Its Recent Campaign

McAfee Labs uncovered a large-scale CountLoader campaign that uses multi-stage obfuscation (EXE → PowerShell → obfuscated HTA/JavaScript via mshta → PowerShell packer → injector → in-memory shellcode) to establish persistence, bypass security (AMSI disable), and contact encrypted C2s; the campaign deployed a cryptocurrency clipper that hijacks clipboard wallet addresses, spread via USB shortcuts, and had broad global reach (≈86,000 unique infections, ~5,000 connections/min, ~9,000 via removable media), with extensive IOCs and a sinkholed backup domain used for telemetry.